Jenkins build is back to stable : Axis2 » Apache Axis2 - JAXWS Integration Tests #3691

2017-04-23 Thread Apache Jenkins Server 
See 



-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Jenkins build is back to normal : Axis2 #3691

2017-04-23 Thread Apache Jenkins Server 
See 


-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Build failed in Jenkins: Axis2 #3690

2017-04-23 Thread Apache Jenkins Server 
See 

Changes:

[veithen] Don't rely on Thread.sleep in unit tests. This will fail on busy CI 
servers.

[veithen] Fix compiler warnings and remove dead/unused code.

[veithen] Revert r1792360; it doesn't fix the problem with AsyncExcecutorTests.

--
[...truncated 1.79 MB...]
[javac] Compiling 2 source files to 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test2/build/classes
[javac] Note: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test2/src/com/example/www/ServiceNameStub.java
 uses unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.

jar.client:
  [jar] Building jar: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test2/build/lib/serviceName-test-client.jar
 [echo] Running codegen RPC WSDLs - take 3
 [java] Retrieving document at 'test-resources/rpc/test-rpc-2.wsdl'.

init:
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test3/build
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test3/build/classes
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test3/build/lib

pre.compile.test:
 [echo] Stax Availability= true
 [echo] Axis2 Availability= true

compile.src:
[javac] Compiling 2 source files to 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test3/build/classes
[javac] Note: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test3/src/com/example/www/ServiceNameStub.java
 uses unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.

jar.client:
  [jar] Building jar: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test3/build/lib/serviceName-test-client.jar
 [echo] Running codegen RPC WSDLs - take 4
 [java] Retrieving document at 'test-resources/rpc/test-rpc-2.wsdl'.

init:
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test4/build
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test4/build/classes
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test4/build/lib

pre.compile.test:
 [echo] Stax Availability= true
 [echo] Axis2 Availability= true

compile.src:
[javac] Compiling 5 source files to 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test4/build/classes

echo.classpath.problem:

jar.server:
 [copy] Copying 2 files to 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test4/build/classes/META-INF
  [jar] Building jar: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/rpc-test4/build/lib/serviceName.aar
 [echo] Running codegen RPC WSDLs with helper mode -  take 1
 [java] Retrieving document at 'test-resources/rpc/test-rpc-2.wsdl'.

init:
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test1/build
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test1/build/classes
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test1/build/lib

pre.compile.test:
 [echo] Stax Availability= true
 [echo] Axis2 Availability= true

compile.src:
[javac] Compiling 8 source files to 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test1/build/classes
[javac] Note: Some input files use unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.

jar.client:
  [jar] Building jar: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test1/build/lib/serviceName-test-client.jar
 [echo] Running codegen RPC WSDLs with helper mode -  take 2
 [java] Retrieving document at 'test-resources/rpc/test-rpc-2.wsdl'.

init:
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test2/build
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test2/build/classes
[mkdir] Created dir: 
/home/jenkins/jenkins-slave/workspace/Axis2/axis2/modules/integration/target/helper-test2/build/lib

pre.compile.test:
 [echo] Stax Availability= true
 [echo] Axis2 Availability= true

compile.src:
[javac] Compiling 8 source files to

Jenkins build is still unstable: Axis2 » Apache Axis2 - JAXWS Integration Tests #3689

2017-04-23 Thread Apache Jenkins Server 
See 



-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Jenkins build is still unstable: Axis2 #3689

2017-04-23 Thread Apache Jenkins Server 
See 


-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5836) AxisFault class (used by MessageContextBuilder to create SOAPFault) not SOAP version-independent?

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5836:
---
Fix Version/s: (was: 1.7.5)

> AxisFault class (used by MessageContextBuilder to create SOAPFault) not SOAP 
> version-independent?
> -
>
> Key: AXIS2-5836
> URL: https://issues.apache.org/jira/browse/AXIS2-5836
> Project: Axis2
>  Issue Type: Bug
>  Components: kernel
>Affects Versions: 1.7.4
>Reporter: Jeff Thomas
>
> Not sure if this is a "bug" or if our implementation approach was incorrect.
> 
> The AxisFault class (I assume) was originally constructed as a SOAP 
> version-independent container for fault-information.  
> The MessageContextBuilder, based upon the MessageContext should use the 
> correct SOAPFactory implementation (1.1 or 1.2) to assemble the SOAPFault 
> body from the generic fault-information.
> The SOAP 1.1 Standard says that SOAPFaults may have a user-defined primary 
> fault-code and contains no sub-codes.
> The SOAP 1.2 Standard says that SOAPFaults may only have one of 5 pre-defined 
> primary fault-codes and that the application-specific fault-codes are to be 
> assigned as sub-codes.
> The problem is, for this code to work correctly today I must know which SOAP 
> Version I am targeting when I set the fault-code (and optionally sub-codes) 
> on the new AxisFault object.   As such the AxisFault class is no longer truly 
> SOAP version-independent.
> {code}
> // SOAP 1.1
> AxisFault axisFault = new AxisFault(APPL_QNAME, "reason", ex);
> // SOAP 1.2
> AxisFault axisFault = new AxisFault(SOAP12Constants.QNAME_RECEIVER_FAULTCODE, 
> "reason", ex);
> axisFault.setFaultSubCodes(Arrays.asList(APPL_QNAME);
> {code}
> If all of our exception-classes extend AxisFault and we don't have the 
> MessageContext available at the point at which we throw the exception, then 
> we are not in a position to decide whether or not the current operation is 
> SOAP 1.1 or 1.2.
> We currently have a "workaround" (hack?") which always sets the fault-code of 
> our exceptions to QNAME_RECEIVER_FAULTCODE and in the MessageContextBuilder a 
> custom patch that assumes that if the operation context is SOAP 1.1 and 
> subcodes are set on the AxisFault, that the first subcode is the real 
> application fault-code and all others subcodes are discarded.  However, I am 
> pretty sure this is not the correct approach.
> My feeling is that the AxisFault class is no longer as version-independent as 
> it needs to be with the introduction of SOAP 1.2 special-handling.  However, 
> looking at the code, I am not sure if it even possible to generically achieve 
> this.
> Alternatively I am not sure if the decision to extend AxisFault for our 
> custom exceptions was the correct choice or if we should have rather caught 
> our custom exceptions in the service-call (where we have the MessageContext) 
> and then build the appropriate generic AxisFault based on whether or not the 
> call is for SOAP 1.1 or 1.2.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5835) AxisFault(SOAPFault) Constructor with SOAP 1.2 SOAPFault incorrectly propagates FaultCode

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-5835?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5835:
---
Fix Version/s: (was: 1.7.5)

> AxisFault(SOAPFault) Constructor with SOAP 1.2 SOAPFault incorrectly 
> propagates FaultCode
> -
>
> Key: AXIS2-5835
> URL: https://issues.apache.org/jira/browse/AXIS2-5835
> Project: Axis2
>  Issue Type: Bug
>  Components: kernel
>Affects Versions: 1.7.4
>Reporter: Jeff Thomas
>
> If the AxisFault constuctor is used with a SOAP 1.2 SOAPFault representation 
> (containing SOAP12FaultCodeImpl), the fault-code is incorrectly propagated to 
> the new fault MessageContext.
> Original SOAPFault:
> {code:xml}
> http://www.w3.org/2003/05/soap-envelope;>
>   
> soapenv:Receiver
> 
>xmlns:test="http://www.test.com;>test:SOME_CODE
> 
>   
>   
> Exception occurred.
>   
>   
> 
> {code}
> The result:
> {code:xml}
> http://www.w3.org/2003/05/soap-envelope;>
>   
> 
> 
>xmlns:test="http://www.test.com;>test:SOME_CODE
> 
>   
>   
> Exception occurred.
>   
>   
> 
> {code}
> NOTE: Here the Code/Value should be "soapenv:Receiver" but is empty.
> Possible/Probable Reason: (?)
> In private static method 
> "MessageContextBuilder.createFaultEnvelope(MessageContext, Throwable)", 
> {code:title=MessageContextBuilder.java|borderStyle=solid}
>   ...
>   else if (axisFault != null) {
> ...
> if (axisFault.getFaultCodeElement() != null) {
>   fault.setCode(axisFault.getFaultCodeElement());
>   soapFaultCode = axisFault.getFaultCodeElement().getText();  
>  
> } 
> {code}
> If the SOAPFaultCodeElement is SOAP 1.2, 
> {code}axisFault.getFaultCodeElement().getText() = null{code}.  I believe here 
> a check needs to be done on the SOAPFaultCode if SOAP 1.1 or 1.2 and in the 
> event of 1.2 it should be {code}soapFaultCode = 
> axisFault.getFaultCodeElement().getValue().getText();{code}.
> The result is that in the follow-up code-block the value text is set to an 
> empty string.
> {code}
> if (context.isSOAP11()) {
>   ...
> } else {
>   ...
>   SOAPFaultValue value = fault.getCode().getValue();
>   ...
>   OMNamespace namespace = value.getNamespace();
>   soapFaultCode = switchNamespacePrefix(soapFaultCode, namespace);
>   value.setText(soapFaultCode);
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5846) Local file inclusion vulnerability in SimpleHTTPServer

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5846:
---
Component/s: transports

> Local file inclusion vulnerability in SimpleHTTPServer
> --
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>  Components: transports
>Affects Versions: 1.6.2, 1.7.4
>Reporter: Nupur
> Fix For: 1.7.5
>
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Resolved] (AXIS2-5846) Local file inclusion vulnerability in SimpleHTTPServer

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen resolved AXIS2-5846.

   Resolution: Fixed
 Assignee: Andreas Veithen
Fix Version/s: 1.7.5

> Local file inclusion vulnerability in SimpleHTTPServer
> --
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>  Components: transports
>Affects Versions: 1.6.2, 1.7.4
>Reporter: Nupur
>Assignee: Andreas Veithen
> Fix For: 1.7.5
>
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Commented] (AXIS2-5846) Local file inclusion vulnerability in SimpleHTTPServer

2017-04-23 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15980401#comment-15980401
 ] 

Hudson commented on AXIS2-5846:
---

SUCCESS: Integrated in Jenkins build axis2-1.7 #111 (See 
[https://builds.apache.org/job/axis2-1.7/111/])
AXIS2-5846: Merge r1792353 to the 1.7 branch. (veithen: rev 1792354)
* (edit) axis2
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java


> Local file inclusion vulnerability in SimpleHTTPServer
> --
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>Affects Versions: 1.6.2, 1.7.4
>Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Jenkins build became unstable: Axis2 #3688

2017-04-23 Thread Apache Jenkins Server 
See 


-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Jenkins build became unstable: Axis2 » Apache Axis2 - JAXWS Integration Tests #3688

2017-04-23 Thread Apache Jenkins Server 
See 



-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Commented] (AXIS2-5846) Local file inclusion vulnerability in SimpleHTTPServer

2017-04-23 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15980384#comment-15980384
 ] 

Hudson commented on AXIS2-5846:
---

UNSTABLE: Integrated in Jenkins build Axis2 #3688 (See 
[https://builds.apache.org/job/Axis2/3688/])
AXIS2-5846: Fix a local file inclusion vulnerability in SimpleHTTPServer. This 
occurs because axis2server.sh adds the root directory of the binary 
distribution to the class path, and SimpleHTTPServer doesn't limit the search 
for XSD/WSDL files to the service class loader. This means that axis2.xml is 
accessible remotely via a specially crafted query string 
(xsd=../conf/axis2.xml).

Although AxisServlet is not known to be vulnerable, this change also modifies 
ListingAgent to limit the search to the service class loader. (veithen: rev 
1792353)
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java


> Local file inclusion vulnerability in SimpleHTTPServer
> --
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>Affects Versions: 1.6.2, 1.7.4
>Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Resolved] (AXIS2-4756) Standalone Axis2 server cannot handle multipart http requests

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen resolved AXIS2-4756.

Resolution: Won't Fix

> Standalone Axis2 server cannot handle multipart http requests
> -
>
> Key: AXIS2-4756
> URL: https://issues.apache.org/jira/browse/AXIS2-4756
> Project: Axis2
>  Issue Type: Bug
>  Components: kernel, transports
>Affects Versions: 1.5.1, nightly
>Reporter: Detelin Yordanov
> Attachments: FileUploadService.aar, MultiPartHttpTest.zip, patch.txt
>
>
> When running a standalone Axis2 server and a multipart Http request is 
> received, the org.apache.axis2.builder.MultipartFormDataBuilder will throw an 
> exception: "Cannot create DocumentElement without HttpServletRequest".
> Reason for this is that the Axis2 Http server wraps the incoming http request 
> into an AxisHttpRequest and there is no HttpServletRequest available.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Created] (AXIS2-5847) Replace SimpleHTTPServer with an embedded Jetty server

2017-04-23 Thread Andreas Veithen (JIRA) 
Andreas Veithen created AXIS2-5847:
--

 Summary: Replace SimpleHTTPServer with an embedded Jetty server
 Key: AXIS2-5847
 URL: https://issues.apache.org/jira/browse/AXIS2-5847
 Project: Axis2
  Issue Type: Improvement
  Components: transports
Reporter: Andreas Veithen


SimpleHTTPServer has multiple problems:
- It's based on an old version of HTTPComponents.
- It has vulnerabilities not present in AxisServlet; see e.g. AXIS2-5846.
- Some features are only supported with AxisServlet; see e.g. AXIS2-4756.

To solve these issues, the SimpleHTTPServer code should be trashed and replaced 
by an embedded servlet container (e.g. Jetty) running AxisServlet.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5846) Local file inclusion vulnerability in SimpleHTTPServer

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5846:
---
Summary: Local file inclusion vulnerability in SimpleHTTPServer  (was: 
Local file inclusion vulnerability in Axis2)

> Local file inclusion vulnerability in SimpleHTTPServer
> --
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>Affects Versions: 1.6.2, 1.7.4
>Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5846) Local file inclusion vulnerability in Axis2

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5846:
---
Priority: Major  (was: Critical)

> Local file inclusion vulnerability in Axis2
> ---
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>Affects Versions: 1.6.2, 1.7.4
>Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5846) Local file inclusion vulnerability in Axis2

2017-04-23 Thread Andreas Veithen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5846:
---
Affects Version/s: 1.7.4

> Local file inclusion vulnerability in Axis2
> ---
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>Affects Versions: 1.6.2, 1.7.4
>Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Commented] (AXIS2-5846) Local file inclusion vulnerability in Axis2

2017-04-23 Thread Andreas Veithen (JIRA) 

[ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15980360#comment-15980360
 ] 

Andreas Veithen commented on AXIS2-5846:


As far as I can see this occurs only with SimpleHTTPServer, not with 
AxisServlet. Since the admin console isn't supported with SimpleHTTPServer, the 
user name and password exposed isn't actually used, and an attacker wouldn't be 
able to gain any additional privileges.

Also note that (at least in my opinion) SimpleHTTPServer shouldn't be used in 
production systems. Probably we should replace that code with an embedded Jetty 
server and use AxisServlet.

> Local file inclusion vulnerability in Axis2
> ---
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
>  Issue Type: Bug
>Affects Versions: 1.6.2
>Reporter: Nupur
>Priority: Critical
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org