You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Loïc FRERING (JIRA)" <ji...@apache.org> on 2008/02/14 15:53:09 UTC
[jira] Created: (CXF-1433) WS-Security vulnerability
WS-Security vulnerability
-------------------------
Key: CXF-1433
URL: https://issues.apache.org/jira/browse/CXF-1433
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.0.3
Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
Reporter: Loïc FRERING
Priority: Critical
It is possible to bypass the security checks configured with WS-Security.
Server configured with an Username Token WS-Security authentication with Spring :
<jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordDigest"/>
<entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
</map>
</constructor-arg>
</bean>
<bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
<SOAP-ENV:Envelope>
<SOAP-ENV:Header>
<ns0:Security>
<ns0:wsse>Security</ns0:wsse>
</ns0:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns0:sayHi>
<name>Loïc</name>
</ns0:sayHi>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (CXF-1433) WS-Security vulnerability
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569381#action_12569381 ]
fdushin edited comment on CXF-1433 at 2/15/08 11:35 AM:
------------------------------------------------------------
This patch adds a check to the WSS4JInInterceptor, to ensure that (at least) the number of performed actions corresponds to the number of required actions. This is a workaround for https://issues.apache.org/jira/browse/WSS-70
was (Author: fdushin):
This patch adds a check to the WSS4JInInterceptor, to ensure that (at least) the number of performed actions corresponds to the number of required actions. This is a woraround for https://issues.apache.org/jira/browse/WSS-70
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
> Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-1433) WS-Security vulnerability
Posted by "Loïc FRERING (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569846#action_12569846 ]
Loïc FRERING commented on CXF-1433:
-----------------------------------
Great, thank you for your reactivity.
Regards,
Loïc FRERING
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Assignee: Daniel Kulp
> Priority: Critical
> Fix For: 2.0.5
>
> Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-1433) WS-Security vulnerability
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569319#action_12569319 ]
Fred Dushin commented on CXF-1433:
----------------------------------
I believe this is due to:
https://issues.apache.org/jira/browse/WSS-70
I'll be submitting a patch to CXF shortly which works around this issue.
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-1433) WS-Security vulnerability
Posted by "Loïc FRERING (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569312#action_12569312 ]
Loïc FRERING commented on CXF-1433:
-----------------------------------
Hello Fred,
Here is the Flex code that permit me to use the web service without authentication :
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute">
<mx:WebService id="helloService" wsdl="http://localhost/webservice/HelloWorld?wsdl" useProxy="false" load="headers();">
<mx:operation name="sayHi">
<mx:request>
<name>Loïc</name>
</mx:request>
</mx:operation>
</mx:WebService>
<mx:Script>
<![CDATA[
import mx.rpc.soap.SOAPHeader;
//import com.adobe.crypto.WSSEUsernameToken;
private var wsseHeader:SOAPHeader;
public var fromXML;
public function headers():void {
var wsse:Namespace = new Namespace("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
var wsseSecurity:QName = new QName(wsse.uri, "Security");
wsseHeader = new SOAPHeader(wsseSecurity, {"wsse":"Security"});
// Here would be the code to generate the WS-Security headers, but is not....
helloService.addHeader(wsseHeader);
}
]]>
</mx:Script>
<mx:DataGrid id="dgTopPosts" width="400" verticalCenter="-66" horizontalCenter="0" dataProvider="{helloService.sayHi.lastResult}">
<mx:columns>
<mx:DataGridColumn headerText="Hi" dataField="return" />
</mx:columns>
</mx:DataGrid>
<mx:Button label="Button" click="helloService.sayHi.send();" verticalCenter="-125.5" horizontalCenter="0" />
</mx:Application>
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-1433) WS-Security vulnerability
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569117#action_12569117 ]
Fred Dushin commented on CXF-1433:
----------------------------------
I am unable to reproduce this error in a standalone case.
I will attach a sample program, which illustrates the security interceptors functioning properly. The testcase I am submitting, however, requires using the wget utility (available on most unix systems) to POST a dumy message to the server.
There may still be an issue with CXF deployed in the tomcat container, which we can investigate next.
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-1433) WS-Security vulnerability
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569986#action_12569986 ]
Daniel Kulp commented on CXF-1433:
----------------------------------
New 2.0.5 and 2.1 snapshots are deployed that contain the fixes. Can you give them a try and make sure it's all OK?
Thanks!
Dan
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Assignee: Daniel Kulp
> Priority: Critical
> Fix For: 2.0.5
>
> Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CXF-1433) WS-Security vulnerability
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-1433.
------------------------------
Resolution: Fixed
Fix Version/s: 2.0.5
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Assignee: Daniel Kulp
> Priority: Critical
> Fix For: 2.0.5
>
> Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-1433) WS-Security vulnerability
Posted by "Loïc FRERING (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569331#action_12569331 ]
Loïc FRERING commented on CXF-1433:
-----------------------------------
Ok, thank you Fred.
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-1433) WS-Security vulnerability
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin updated CXF-1433:
-----------------------------
Comment: was deleted
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-1433) WS-Security vulnerability
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin updated CXF-1433:
-----------------------------
Attachment: cxf-1433-fdushin-2008.02.15.patch
This patch adds a check to the WSS4JInInterceptor, to ensure that (at least) the number of performed actions corresponds to the number of required actions. This is a woraround for https://issues.apache.org/jira/browse/WSS-70
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
> Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (CXF-1433) WS-Security vulnerability
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-1433:
--------------------------------
Assignee: Daniel Kulp
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Assignee: Daniel Kulp
> Priority: Critical
> Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.