You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by Philip Lowman <ph...@yhbt.com> on 2016/09/10 14:12:36 UTC

Question on vulnerable Xalan 2.7.0 being distributed with Axis2 1.7.3

Hi,
I noticed that Xalan version 2.7.0 is being distributed with the Axis2
1.7.3 binary release.

This version appears to have a rather serious security flaw which (if I am
understanding things properly) can allow remote code execution.  I guess
I'm wondering if this is exploitable via Axis somehow?

http://www.cvedetails.com/cve/CVE-2014-0107/
https://tools.cisco.com/security/center/viewAlert.x?alertId=34517

I've tried the approach indicated at ws-attacks below which I think is for
this vulnerability, but run into exceptions I don't understand (and I'm
also not a WS/XML/XSLT guru).

http://www.ws-attacks.org/XML_Signature_%E2%80%93_XSLT_Code_Execution
https://www.owasp.org/images/a/ae/OWASP_Switzerland_
Meeting_2015-06-17_XSLT_SSRF_ENG.pdf

Thanks!

-- 
Philip Lowman