axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nupur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5846) Local file inclusion vulnerability in Axis2
Date Thu, 20 Apr 2017 05:02:04 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15976069#comment-15976069
] 

Nupur commented on AXIS2-5846:
------------------------------

Here are the setup details:
OS : Cent OS(7.3.1611)
JDk : Open JDK 1.7.0_131
Web Container : Apache
In the Current PCP , LFI is present in Axis2 service. It allows the attacker to view certain
files normally which are inaccessible.
For ex:
I provided link in the above statement that is effected by LFI.
I tried accessing the link in my setup .
http://10.65.198.25:8080/axis2/services/Version?xsd=../conf/axis2.xml
The result of the link is below :
<?xml version="1.0"?>
<!-- ~ Licensed to the Apache Software Foundation (ASF) under one ~ or more contributor
license agreements. See the NOTICE file ~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file ~ to you under the Apache License,
Version 2.0 (the ~ "License"); you may not use this file except in compliance ~ with the License.
You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~
Unless required by applicable law or agreed to in writing, ~ software distributed under the
License is distributed on an ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY ~ KIND,
either express or implied. See the License for the ~ specific language governing permissions
and limitations ~ under the License. -->
-<axisconfig name="AxisJava2.0">
---------------------
-----------------
----------------
<parameter name="DrillDownToRootCauseForFaultReason">false</parameter>
<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter>
--------------------------------------
---------------------------------
------------------------------------------------
</axisconfig>
if you observe above, the username and password of axis2 service is exposable which is vulnerable
normally which is not exposable.
This is an example of the issue like wise LFI is allowing some other files too.

> Local file inclusion vulnerability in Axis2
> -------------------------------------------
>
>                 Key: AXIS2-5846
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5846
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.2
>            Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be inaccessible. This
is a violation of PSB requirement SEC-SUP-PATCH because this is a publicly disclosed vulnerability
with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain the username
and password to the Axis2 admin interface. While the admin interface appears to be disabled
currently, if it was ever enabled or an attacker found a way to access it, they would gain
admin access to the Axis2 system. 
> In addition, this vulnerability is publicly known, which makes it more likely to be exploited
by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message