Thanks a lot for the explanation Andreas! I think we can consider Axis 1.3 safe then.
Regards, Dariusz On 21 July 2010 06:37, Andreas Veithen <[email protected]> wrote: > Dariusz, > > The statement in the advisory is based on a test I did on a service > implemented with Axis 1.4 and on a statement from one of the > developers of Axis that they identified and fixed this vulnerability > some years ago. I did not do a code analysis of Axis and I did not do > a test on any other version of Axis. If you used the exploits > described in the advisory to test Axis 1.3 and that test gives the > result you describe, then that version should be considered safe. > > Andreas > > On Tue, Jul 20, 2010 at 09:33, Dariusz Kordonski > <[email protected]> wrote: > > Hi there, > > tried to deliver the below message to the Axis (original Axis) mailing > > group, but is seems that the only active group is this one? Hope that > > somebody here can help me sort out my questions (or direct to the correct > > mailing group). Thanks! > > Best regards, > > Dariusz Kordonski [Atlassian] > > ---------- Forwarded message ---------- > > From: Dariusz Kordonski <[email protected]> > > Date: 20 July 2010 16:20 > > Subject: Axis 1.3 and CVE-2010-1632 > > To: [email protected] > > > > > > Hi, > > we have recently been inquired > > about > https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf > > and if it affects our product (Atlassian JIRA). > > This security advisory refers to vulnerabilities in Axis2 that result > from > > processing (under some conditions) of DTD references by the Axis2 XML > > parser. The document also clarifies (page 2) that Axis v1.4 is not > affected > > by this, as it immediately rejects any requests containing a DOCTYPE > > declaration. > > Unfortunately, Atlassian JIRA uses Axis in version *1.3* as a foundation > for > > its SOAP API, and, although we are quite certain this version remains > > unaffected too, we were unable to find any official statement confirming > our > > assumptions. We performed some simple tests by means of sending requests > > with the following declaration: > > <!DOCTYPE createIssue [ > > <!ENTITY file SYSTEM "/etc/hosts"> > > ]> > > included at the beginning of the SOAP request. As a result we received: > > <?xml version="1.0" encoding="utf-8"?> > > <soapenv:Envelope xmlns:soapenv=" > http://schemas.xmlsoap.org/soap/envelope/"; > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > > <soapenv:Body> > > <soapenv:Fault> > > <faultcode>soapenv:Server.userException</faultcode> > > <faultstring>org.xml.sax.SAXException: Processing instructions are not > > allowed within SOAP messages</faultstring> > > <detail> > > <faultData xsi:type="ns1:SAXException" xmlns:ns1="http://sax.xml.org";> > > <cause xsi:type="ns2:Throwable" xsi:nil="true" > > xmlns:ns2="http://lang.java"/> > > <exception xsi:type="ns3:Exception" xsi:nil="true" > > xmlns:ns3="http://lang.java"/> > > <message xsi:type="xsd:string">Processing instructions are not allowed > > within SOAP messages</message> > > </faultData> > > <ns4:hostname > > xmlns:ns4="http://xml.apache.org/axis/";>notresspassing</ns4:hostname> > > </detail> > > </soapenv:Fault> > > </soapenv:Body> > > </soapenv:Envelope> > > which seems to be confirming that Axis v1.3 is indeed protected against > this > > particular exploit. We are, however, not quite sure if this kind of test > is > > enough. Can you therefore confirm that Axis 1.3 exposes the same level of > > protection against the above exploit as Axis 1.4 does? Alternatively, > what > > other kind of tests should we perform to make sure it does? > > Best regards, > > Dariusz Kordonski [Atlassian] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
