Security Advisory WSO2-2016-0098

Published: August 12, 2016


WSO2 products are vulnerable to Local File Inclusion (LFI) issue via LogViewer Admin Service.


An authenticated user can download configuration files in the filesystem via downloadArchivedLogFiles operation in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs), hence can access any file in the file system.


An authorized user with admin privileges can download any file in the file system through LogViewer admin service.


Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to

Code Product Version Patch
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0202
BPS WSO2 Business Process Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0204
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0203
CEP WSO2 Complex Event Processor 4.1.0 WSO2-CARBON-PATCH-4.4.0-0203
DAS WSO2 Data Analytics Server 3.0.1 WSO2-CARBON-PATCH-4.4.0-0203
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0203
DSS WSO2 Data Services Server 3.5.0 WSO2-CARBON-PATCH-4.4.0-0203
EMM WSO2 Enterprise Mobility Manager 2.0.1 WSO2-CARBON-PATCH-4.4.0-0203
ES WSO2 Enterprise Store 2.0.0 WSO2-CARBON-PATCH-4.4.0-0201
ESB WSO2 Enterprise Service Bus 4.9.0 WSO2-CARBON-PATCH-4.4.0-0202
GREG WSO2 Governance Registry 5.2.0 WSO2-CARBON-PATCH-4.4.0-0204
IS WSO2 Identity Server 5.1.0 WSO2-CARBON-PATCH-4.4.0-0203
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0203
ML WSO2 Machine Learner 1.1.0 WSO2-CARBON-PATCH-4.4.0-0202


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.


WSO2 thanks, John Page (hyp3rlinx) for responsibly reporting the identified issues and working with us as we addressed them.