You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "robert lazarski (JIRA)" <ax...@ws.apache.org> on 2018/05/29 17:40:00 UTC
[jira] [Commented] (AXIS-2868) Invalid Input passed in by the user
for an input argument is reflected in the output when Axis throws the
exception to the caller
[ https://issues.apache.org/jira/browse/AXIS-2868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16493923#comment-16493923 ]
robert lazarski commented on AXIS-2868:
---------------------------------------
Thank you for the comments. The last release of axis 1.x was in 2006 and this project has been in deep maintenance mode for many years.
This issue is fixed in the current axis 1.x trunk:
r1831943 | veithen | 2018-05-20 14:10:32 -0600 (Sun, 20 May 2018) | 1 line
Correctly escape namespace URIs in namespace declarations.
Trunk link with maven builds:
https://travis-ci.org/apache/axis1-java
> Invalid Input passed in by the user for an input argument is reflected in the output when Axis throws the exception to the caller
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS-2868
> URL: https://issues.apache.org/jira/browse/AXIS-2868
> Project: Axis
> Issue Type: Bug
> Components: Distribution
> Affects Versions: 1.4
> Environment: Any OS
> Reporter: Vijeya Aravindan
> Priority: Major
>
> This issue was reported by our security team post audit and hence creating this tik:
> 1) Our Soap service is layered on Axis and the stub and skeletons are auto generated by feeding the WSDL and XSD to Axis wsdl2java.
> 2) The Axis layer validates the type of the input parameter coming in as part of the request against the types defined in the XSD.
> 3) In this case, for a parameter defined as long in the xsd, the Security team passed in a String parameter. Axis threw a Java Number Format Exception as expected and the String parameter passed as the invalid input got reflected in the output response as part of this exception
> 4) The response in this case is:
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> <soapenv:Body>
> <soapenv:Fault>
> <faultcode>soapenv:Server</faultcode>
> <faultstring>For input string: "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"</faultstring>
> <detail>
> java.lang.NumberFormatException: For input string: "invalid string: "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"
> The concern from our Security Team is that "This may lead to XSS attack if the consumer of the service does not perform output encoding".
> 5) Since this validation is done by Axis Skeleton layer even before the call back comes to the user defined registered implementation, upon recommendation from our Security team, we request Axis team to sanitize this output to prevent the actual invalid string from appearing in the output response.
> Thanks,
> Vijey
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org