Re: SOAPAction spoofing vulnerability in 3.2.9

Fri, 20 Mar 2020 05:50:25 -0700 

Here is my WSDL (simplified):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:tns="http://example.com/Example/";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema"; name="Example"
targetNamespace="http://example.com/Example/";>
    <wsdl:message name="Operation1Request" />
    <wsdl:message name="Operation1Response" />

    <wsdl:message name="Operation2Request" />
    <wsdl:message name="Operation2Response" />

    <wsdl:portType name="ExamplePortType">
        <wsdl:operation name="Operation1">
            <wsdl:input message="tns:Operation1Request"/>
            <wsdl:output message="tns:Operation1Response"/>
        </wsdl:operation>
        <wsdl:operation name="Operation2">
            <wsdl:input message="tns:Operation2Request"/>
            <wsdl:output message="tns:Operation2Response"/>
        </wsdl:operation>
    </wsdl:portType>

    <wsdl:binding name="ExampleBinding" type="tns:ExamplePortType">
        <soap:binding style="rpc"
transport="http://schemas.xmlsoap.org/soap/http"; />
        <wsdl:operation name="Operation1">
            <soap:operation
soapAction="http://example.com/Example/Operation1"; />
            <wsdl:input>
                <soap:body use="literal"
namespace="http://example.com/Example/"; />
            </wsdl:input>
            <wsdl:output>
                <soap:body use="literal"
namespace="http://example.com/Example/"; />
            </wsdl:output>
        </wsdl:operation>
        <wsdl:operation name="Operation2">
            <soap:operation
soapAction="http://example.com/Example/Operation2"; />
            <wsdl:input>
                <soap:body use="literal"
namespace="http://example.com/Example/"; />
            </wsdl:input>
            <wsdl:output>
                <soap:body use="literal"
namespace="http://example.com/Example/"; />
            </wsdl:output>
        </wsdl:operation>
    </wsdl:binding>

    <wsdl:service name="ExampleService">
        <wsdl:port binding="tns:ExampleBinding" name="ExamplePort">
            <soap:address location="http://www.example.org/"/>
        </wsdl:port>
    </wsdl:service>
</wsdl:definitions>

I just now noticed that issue http://cxf.apache.org/cve-2012-3451.html
concerned Document Literal web services (where if I understand correctly
operation name in the SOAP message is lost) and my WSDL is RPC literal style
(and operation name appears in the SOAP message).

Tomasz



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Reply via email to