Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-1565

JBossWS - WSDL access url with resource suffix allows any arbitrary xml file to be viewed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 4.2.0.GA_CP06
    • 4.2.0.GA_CP05
    • None
    • None
    • Release Notes

      The issue is that using in any wsdl access url if you suffix &resource=../../../jmx-invoker-service.xml you can view this file. Likewise in a system where JBossEAP is running you can easily hack to view any xml file from any arbitrary location using this method.

              mageshbk_jira Magesh Bojan (Inactive)
              mageshbk_jira Magesh Bojan (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: