Directory traversal on WSDL-related requests (included XSDs)
------------------------------------------------------------
Key: JBWS-2622
URL:
https://jira.jboss.org/jira/browse/JBWS-2622
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public (Everyone can see)
Environment: Jboss 5.0.1GA on Win2k
Reporter: failer failer
Deployed simple webservice "hello" (from tutorial) with modified WSDL. (Added
xs:include with schemaLocation pointing to XSD in the same dir as WSDL.)
Tried
http://127.0.0.1:8080/echo/Echo?wsdl - It`s OK. xs:include schemaLocation is
rewriten as
http://127.0.0.1:8080/echo/Echo?wsdl&resource=my.xsd
Tried URL
http://127.0.0.1:8080/echo/Echo?wsdl&resource=../../../conf/login-con...
- and received content of login-config.xml with security related information in it.
I didn`t try to request some other files, but i think it is possible to get ANY XML
document from the server.
I suppose this is a security hole.
PS. Sorry for my bad English.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira