Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PRP: Apache Axis2 weak credential tester #569

Open
GiuseppePorcu opened this issue Dec 12, 2024 · 1 comment
Open

PRP: Apache Axis2 weak credential tester #569

GiuseppePorcu opened this issue Dec 12, 2024 · 1 comment
Labels
Contributor main The main issue a contributor is working on (top of the contribution queue). PRP:Accepted

Comments

@GiuseppePorcu
Copy link

Hi, according to the documentation of Apache Axis2, the administration console has default credentials that if not changed allow an attacker to upload new services thus leading to RCE.

I would like to develop a plugin for Apache Axis2 instances that functions as a weak credential tester.

Apache Axis2 Default Credentials:
https://axis.apache.org/axis2/java/core/docs/webadminguide.html

Image

RCE through uploaded plugin:
https://medium.com/@domenicoveneziano/hidden-in-plain-sight-uncovering-rce-on-a-forgotten-axis2-instance-86ddc91f1415
@GiuseppePorcu GiuseppePorcu mentioned this issue Dec 19, 2024
Open
@tooryx
Copy link
Member

tooryx commented Jan 9, 2025

You can work on this.

@tooryx tooryx added PRP:Accepted Contributor main The main issue a contributor is working on (top of the contribution queue). labels Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Contributor main The main issue a contributor is working on (top of the contribution queue). PRP:Accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tooryx @GiuseppePorcu