Apache Axis CRLF And Content Injection

November 1, 2007

Version tested:- 1.4

vendor's website:- http://ws.apache.org/axis/

Details:- The vulnerability reported earlier this year, was later addressed by apache axis group and the error messages in version 1.4  do not leak the document root or any directory structure. However, the error message returned for an non-existing WSDL is vulnerable to CRLF injection and although, it html encodes all the user's input, thereby denying any XSS or html injection, content injection is still be possible(a minor issue).








AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault – ; nested exception is:

java.io.FileNotFoundException: /tt_pm4l


 An Error has Occured

please send your credentials and problem encountered to







Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.