exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache CXF WS-Security URIMappingInterceptor Bypass

Apache CXF WS-Security URIMappingInterceptor Bypass
Posted Feb 12, 2013
Site cxf.apache.org

Apache CXF suffers from a vulnerability when a simple SOAP service is secured with the WSS4JInInterceptor, which enables WS-Security processing of the request. WS-Security processing is completely bypassed in the case of a HTTP GET request, and so access to the service can be enabled by the URIMappingInterceptor. This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5 and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability exists if you are explicitly adding the URIMappingInterceptor to the default chain.

tags | advisory, web
advisories | CVE-2012-5633
SHA-256 | db48a46ed14115b58114df032443a8b3b6b13b1175a368c2efb1110f6877b6fd

Apache CXF WS-Security URIMappingInterceptor Bypass

Change Mirror Download
----BEGIN PGP SIGNED MESSAGE----
Hash: SHA1

CVE-2012-5633: WSS4JInInterceptor always allows HTTP Get requests from browser

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.5.8, 2.6.5
and 2.7.2. CXF 2.7.1 is not affected by default, however the vulnerability
exists if you are explicitly adding the URIMappingInterceptor to the default
chain.

Description:

The URIMappingInterceptor in CXF is a legacy interceptor that allows some basic
"rest style" access to a simple SOAP service. The functionality provided by
this interceptor has since been replaced by the JAX-RS standard.

An example of how this interceptor works is as follows. A simple "double it"
webservice is defined as:

@WebService(name = "DoubleItPortType")
public interface DoubleItPortType
Unknown macro: { @WebMethod(operationName = "DoubleIt") public int doubleIt( @WebParam(name = "numberToDouble") int numberToDouble ); }

The URIMappingInterceptor can allow a REST client access the service via a GET
request to a URL like:

http://localhost:8080/DoubleItPort/DoubleIt&numberToDouble=20

The vulnerability is when a simple SOAP service is secured with the
WSS4JInInterceptor, which enables WS-Security processing of the request.
WS-Security processing is completely by-passed in the case of a HTTP GET
request, and so access to the service can be enabled by the
URIMappingInterceptor.

This is a critical vulnerability if you are using a WS-Security UsernameToken
or a SOAP message signature via the WSS4JInInterceptor to authenticate users
for a simple SOAP service. Please note that this advisory does not apply if
you are using WS-SecurityPolicy to secure the service, as the relevant policies
will not be asserted. Also note that this attack is only applicable to
relatively simple services that can be mapped to a URI via the
URIMappingInterceptor.

This has been fixed in revisions:

http://svn.apache.org/viewvc?view=revision&revision=1409324 http://svn.apache.org/viewvc?view=revision&revision=1420698

Migration:

Although this issue is fixed in CXF 2.5.8, 2.6.5 and 2.7.2, due to a separate
security vulnerability (CVE-2013-0239), CXF users should upgrade to the
following versions:

Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.

References: http://cxf.apache.org/security-advisories.html

----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJRFM+PAAoJEGe/gLEK1TmDLW8IAKrzgMRi0avREKTbK3xwVcK4
OhpIc2ZckiHjuhTd4CAfR+8MblIx2aVKTywcIwbvSkwuqAj2YnHrc33RFLA2ifNU
00tKHlDfYWU2MzP+nPPHtgFMQbb9XclINLeCl8qiJAeZTW3gYOBEQ1XHL7yM1f8E
i3NSyIaIaRHmgB0IDWMNd1pQvkB6OrXJvxPWhkL6ea+GaCaC5+wInQWBWmNUOsj4
m/qnalxDgmRCHSLiHNw6N0l1Qb/nsL45MNvmLQglXZZAR1+npb1jtqega0DchFn7
ohEyVJpkFuASPcPsqeSpSbEYixjXSQCnJvw6RZlOvfXC7F6u49xjrRiskP/RBX0=
=IP0q
----END PGP SIGNATURE----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close