Apache Axis2 "xsd" XML Local File Inclusion Vulnerability


Description   (:A local file inclusion vulnerability has been identified in Apache Axis2, impacting other products such as IBM WebSphere Application Server. A remote attacker can exploit it to read arbitrary files on the web server, including the file containing the username and password in cleartext, and logon with administrative privileges.::An exploitation code is available in the Metasploit framework.::The "xsd" parameter of the "/axis2/services/Version" and "/InsaneService/services/WSInsane" scripts can load XML content from an arbitrary location, including "/WEB-INF/conf/axis2.xml".)
     
Vulnerable Products   Vulnerable Software:
Geronimo (Apache Software Foundation) - 2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0H3C Intelligent Management Center (HP) - WebSphere Application Server (IBM) - 6.1.0.11, 6.1.0.13, 6.1.0.15, 6.1.0.17, 6.1.0.19, ..., 7.0.0.11, 7.0.0.3, 7.0.0.5, 7.0.0.7, 7.0.0.9
     
Solution   HP has released version 7.2 (E0403P10) of iMC (Intelligent Management Center) which fixes this vulnerability.
     
CVE   CVE-2010-1632
     
References   - Local File Inclusion Vulnerability on parsing WSDL related XSD Files
https://issues.apache.org/jira/browse/AXIS2-4279
- Potential security exposure with IBM WebSphere Application Server with JAX-WS or JAX-RS (PM14844, PM14847, PM14765)
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
- CVE-2010-1632 and CVE-2010-2076 : Axis2 and CXF HTTP binding enables DTD based XML attacks.
http://geronimo.apache.org/21x-security-report.html
- Fix list for IBM WebSphere Application Server V7.0
http://www-01.ibm.com/support/docview.wss?uid=swg27014463#70013
- Apache Geronimo : 2.2.x vulnerabilities
http://geronimo.apache.org/22x-security-report.html
- HPSBHF03655 rev.1 : HPE iMC PLAT Network Products running Apache Axis2, Multiple Remote Vulnerabilities
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05289984
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Directory traversal
3.2.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2010-05-24 

 Target Type 
Server 

 Possible exploit 
Remote