Disclosure: Apache Axis Nonexistent Java Web Service Remote Path Disclosure

[This was originally disclosed on the VIM mail list. VulnDB ID 34154]

Watchfire’s Appscan product looks for this vulnerability (not sure what they officially title it, the title above is my own), but I can’t find any reference to it. Google finds a lot of indirect references suggesting it is common knowledge to the folks who use the product. Has anyone seen this before or have a reference?


Requesting this URL will generate the error message:

http://[target]/axis/tt_pm4l.jws?wsdl

AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault – java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)

AxisFault
faultCode: {http://xml.apache.org/axis/}Server.userException
faultString: java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)
faultActor: null
faultDetail:
stackTrace: java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)

[SNIP]

Leave a Reply

%d bloggers like this: