Apache AXIS Non-Existent WSDL Path Information Disclosure Vulnerability

Bugtraq ID:	23687
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-2353
Remote:	Yes
Local:	No
Published:	Apr 27 2007 12:00AM
Updated:	Jun 01 2007 05:01PM
Credit:	Discovery is credited to Jericho.
Vulnerable:	Apache Axis 1.0
Not Vulnerable:

Apache AXIS Non-Existent WSDL Path Information Disclosure Vulnerability

Apache AXIS is prone to a path-information-disclosure vulnerability. Remote unauthorized attackers may be able to determine webserver directory paths.

Information obtained may aid attackers in launching further attacks against an affected server.

Apache AXIS 1.0 is vulnerable to this issue.

Apache AXIS Non-Existent WSDL Path Information Disclosure Vulnerability

An exploit is not required to leverage this issue.

The following proof-of-concept URI is available.

http://www.example.com/axis/tt_pm4l.jws?wsdl

Apache AXIS Non-Existent WSDL Path Information Disclosure Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Apache AXIS Non-Existent WSDL Path Information Disclosure Vulnerability

References:

• Apache AXIS2 Homepage (Apache)
  
• Apache Axis Non-Existent Java Web Service Path Disclosure (Open Source Vulnerability Database)
  
• [VIM] Apache AXIS Non-Existent Java Web Service Path Disclosure? (Jericho )