Re: http-axis2-dir-traversal

[Fyodor <fyodor () insecure org>]

On Fri, Jul 15, 2011 at 06:22:50PM -0700, Paulino Calderon wrote:
> Hi nmap-dev,
>
> description = [[
> http-axis2-dir-traversal exploits a directory traversal vulnerability in 
> Apache Axis2 version 1.4.1 by sending a specially crafted request to the 
> parameter <code>xsd</code> (OSVDB-59001). By default it will try to 
> retrieve the configuration file of the Axis2 service 
> <code>'/conf/axis2.xml'</code> using the path 
> <code>'/axis2/services/'</code> to return the username and password of 
> the admin account.

Thanks Paulino.  This looks like a good script.  Here are my small
suggestions:

o The example in @usage seems to be missing the actual file argument.
  It would be nice to have both an example of common (no argument)
  usage, and one where it is downloading another common file such as
  /etc/passwd or whatever.

o The NSEDoc says "if you wish to retrieve other files you may need to
  add more "/../" to traverse to the correct folder location."  I
  think you're talking about adding them to the
  http-axis2-dir-traversal.file argument, but this should probably be
  made more clear.

o It is great that it uses the creds library!

o The output should include CVE number or OSVDB or some sort of good
  reference to the vulnerability.  Maybe you can look at how other
  'vuln' scripts report things.  Soon, I think Djalal will have a more
  standardized library for formatting detected vuln output.

After you make these changes, please check it in.

Cheers,
Fydoor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/