Axis 2 Directory traversal vulnerability

Axis 2 Directory traversal  security vulnerability

Recently I have encountered one security issue of Axis 2 (1.4.1) service. The attacker can navigate to the axis.xml using the link https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml & can see the Axis 2 username & password. Then attacker can deploy any malicious service to hack the system.

The issue seems to happen if the Axis 2 version <1.5.3. Upgrading the existing version to 1.5.3 (at minimal, upper versions also support) solves the problem.

The root cause of the issue is below configuration in Axis 2 1.4.1 version:

<transportReceiver name="http"

                       class="org.apache.axis2.transport.http.SimpleHTTPServer">

        <parameter name="port">8080</parameter>

SimpleHTTPServer does not block any request & hence directory traversal is possible.

I have followed the below steps to upgrade the Axis 2 from 1.4.1 to 1.5.3

1.     Upgrade the Axis 2 version to 1.5.3. & update the jars

2.     Once the JARS have been upgraded, change the below ones in conf\axis2.xml

replace

<transportReceiver name="http"

                       class="org.apache.axis2.transport.http.SimpleHTTPServer">

        <parameter name="port">8080</parameter>

with below one

<transportReceiver name="http"

                       class="org.apache.axis2.transport.http.AxisServletListener">

        <parameter name="port">8080</parameter>

    </transportReceiver>

    <transportReceiver name="https"

                       class="org.apache.axis2.transport.http.AxisServletListener">

        <parameter name="port">8443</parameter>

    </transportReceiver>

3.     Comment TCPTransportSender in axis2.xml

<!--

    <transportSender name="tcp"

                     class="org.apache.axis2.transport.tcp.TCPTransportSender"/>-->