[
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999478#comment-15999478
]
Andreas Veithen commented on AXIS2-5846:
----------------------------------------
The fix is included in the 1.7.5 release to be published this week.
> Local file inclusion vulnerability in SimpleHTTPServer
> ------------------------------------------------------
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.6.2, 1.7.4
> Reporter: Nupur
> Assignee: Andreas Veithen
> Fix For: 1.7.5
>
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2
> An defect has been raised on Present PCP 7.3 axis version
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It
> allows the attacker to view certain files that would normally be
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because
> this is a publicly disclosed vulnerability with a patch.
> *security impact: Some of the files that are accessible via this LFI contain
> the username and password to the Axis2 admin interface. While the admin
> interface appears to be disabled currently, if it was ever enabled or an
> attacker found a way to access it, they would gain admin access to the Axis2
> system.
> In addition, this vulnerability is publicly known, which makes it more likely
> to be exploited by an attacker.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
