You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by "Fred Dushin (JIRA)" <ji...@apache.org> on 2008/04/17 19:37:21 UTC

[jira] Assigned: (WSS-98) Security Vurnability: Plaintext Usertoken Profile

     [ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Fred Dushin reassigned WSS-98:
------------------------------

    Assignee: Fred Dushin  (was: Ruchith Udayanga Fernando)

> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
>                 Key: WSS-98
>                 URL: https://issues.apache.org/jira/browse/WSS-98
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: Apache Axis 1.4 + WSS4J 1.5.3 
>            Reporter: Kenny Moens
>            Assignee: Fred Dushin
>            Priority: Critical
>         Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
>       <wsse:UsernameToken>
>         <wsse:Username>foo</wsse:Username>
>         <wsse:Password>bar</wsse:Password>
>       </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org