[wsas-java-dev] Security hole in WSAS 2.2
Afkham Azeez
azeez at wso2.com
Wed Feb 13 21:28:10 PST 2008
The Problem
-----------
The WSAS 2.2 admin services could be accessed by any user, without
having to logging in. This means, any user, could manipulate the server
instance. This is a huge security hole. The reason for this is, the
wso2wsas-administration module not being engaged to the wsas admin
services.
The Fix to WSAS 2.2
-------------------
The fix for this is to locate the
WSO2WSAS_HOME/repository/services/wso2wsas-administration.aar file,
extract it, and locate the services.xml file, within the extracted
directory. Now, uncomment the following lines:
Line#21
<!--<module ref="wso2wsas-admin"/>-->
and also uncomment line#31, 32 & 33.
Next rearchive the exploded directory as wso2wsas-administration.aar
(this can be done using any Zip archiver), and drop it into the
WSO2WSAS_HOME/repository/services/ directory.
That's it. Now restart your server. To verify that the security fix is
working properly, point your browser to
https://localhost:9443/services/ServerAdmin/shutdown. If you properly
applied this fix, you will get an error message with a stacktrace, which
will include "Access Denied. Please login first".
For Lazy Users - Use WSAS 2.2.1
-------------------------------
If you are too lazy to do the above and want to avoid this trouble, you
can download the latest WSAS 2.2.1 release
(http://wso2.org/downloads/wsas/), which contains this fix. The main
difference between the WSAS 2.2 & 2.2.1 releases is this security fix
and some improvements to hibernate session handling, so there is no
issue in migrating from WSAS 2.2 to 2.2.1.
Sorry for the inconvenience caused.
--
Thanks
Azeez
More information about the Wsas-java-dev
mailing list