I have a JBossAS server in version 5.0.1, after security testing we now know that it is possible to use the following code to find/guess open ports.
POST /some/WebService HTTP/1.1
Content-type: text/xml;charset="utf-8"
Soapaction: ""
Accept: text/xml, multipart/related, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: JAX-WS RI 2.1.6 in JDK 6
Host: localhost:8443
Connection: close
Content-Length: 265
<?xml version="1.0" ?><!DOCTYPE arg0 [ <!ENTITY x SYSTEM "http://127.0.0.1:50000"> ] ><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><tns:enrollStatus xmlns:tns="http://www.xx.xx/"><arg0>&x;</arg0></tns:enrollStatus></S:Body></S:Envelope>
I have read the discussion: http://community.jboss.org/message/536246#536246 and from that upgraded jbossws to 3.4.0, but the server still accepts an URL to be injected. I also had problems with this kind of code:
POST /some/WebService HTTP/1.1
Content-type: text/xml;charset="utf-8"
Soapaction: ""
Accept: text/xml, multipart/related, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: JAX-WS RI 2.1.6 in JDK 6
Host: localhost:8443
Connection: close
Content-Length: 243
<?xml version="1.0" ?><!DOCTYPE arg0 [ <!ENTITY x "aaaa"> ] ><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><tns:enrollStatus xmlns:tns="http://www.xx.xx/"><arg0>&x;</arg0></tns:enrollStatus></S:Body></S:Envelope>
But this injection was not allowed after the upgrade to jbossws 3.4.0, where x now is just "blank". Before the upgrade x was injected as "aaaa"
Best Regards,
Per Forsh