You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2008/04/14 15:43:05 UTC

[jira] Commented: (WSS-98) Security Vurnability: Plaintext Usertoken Profile

    [ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588577#action_12588577 ] 

Colm O hEigeartaigh commented on WSS-98:
----------------------------------------


This bug is essentially a duplicate of WSS-54 and can be closed.

> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
>                 Key: WSS-98
>                 URL: https://issues.apache.org/jira/browse/WSS-98
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: Apache Axis 1.4 + WSS4J 1.5.3 
>            Reporter: Kenny Moens
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Critical
>         Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
>       <wsse:UsernameToken>
>         <wsse:Username>foo</wsse:Username>
>         <wsse:Password>bar</wsse:Password>
>       </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org