Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-1565

JBossWS - WSDL access url with resource suffix allows any arbitrary xml file to be viewed

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 4.2.0.GA_CP06
    • 4.2.0.GA_CP05
    • None
    • None
    • Release Notes

    Description

      The issue is that using in any wsdl access url if you suffix &resource=../../../jmx-invoker-service.xml you can view this file. Likewise in a system where JBossEAP is running you can easily hack to view any xml file from any arbitrary location using this method.

      Attachments

        Issue Links

          blocks

          Task - Represents a small unit of work that is not end-user facing. JBPAPP-734 Upgrade JBossWS to 1.2.1.GA_CP04

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              mageshbk_jira Magesh Bojan (Inactive)
              mageshbk_jira Magesh Bojan (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: