You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "robert lazarski (JIRA)" <ji...@apache.org> on 2018/02/08 14:55:00 UTC

[jira] [Commented] (AXIS2-5907) Axis2 provide detailed error message in AxisFault which lead to security issue.

    [ https://issues.apache.org/jira/browse/AXIS2-5907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16357023#comment-16357023 ] 

robert lazarski commented on AXIS2-5907:
----------------------------------------

Axis2 1.6.3 is long unsupported, the latest version is 1.7.7 .

Invoking axis2 in an invalid way will create Exceptions and errors best handled by the application server config. There is also the axis2.xml config, which can control fault behavior.

Some of the errors mentioned can be a 404 or 500 error, which can be handled in the web.xml via <error-code>404</error-code> and <error-code>500</error-code> etc.

Furthermore, projects like urlrewrite can redirect with a custom page and message when a server url is not formed as expected.

 

 

> Axis2 provide detailed error message in AxisFault which lead to security issue.
> -------------------------------------------------------------------------------
>
>                 Key: AXIS2-5907
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5907
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel
>    Affects Versions: 1.6.3
>            Reporter: Renukaprasad
>            Priority: Major
>              Labels: security
>
> We have 2 cases.
> Scenario-1:
> User enter incorrect service name in URL. Return response will be proper error message "No service", which allow user to guess the possible service names.
> <faultstring>The service cannot be found for the endpoint reference (EPR) http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/aaCalculator</faultstring>
> Scenario-2:
> User invoke the Soap service without soap envelop (No header / body). Error message "No operation & Action is EMPTY"
> Invoke the URL from browser without any header info - http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/Calculator
> The endpoint reference (EPR) for the Operation not found is /com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null. If this EPR was previously reachable, please contact the server administrator.
>  
> Both scenarios expose the detailed response to the attacker which could lead to security threat.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org