[jira] [Created] (AXIS2-5907) Axis2 provide detailed error message in AxisFault which lead to security issue.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (AXIS2-5907) Axis2 provide detailed error message in AxisFault which lead to security issue.

JIRA jira@apache.org
Renukaprasad created AXIS2-5907:
-----------------------------------

             Summary: Axis2 provide detailed error message in AxisFault which lead to security issue.
                 Key: AXIS2-5907
                 URL: https://issues.apache.org/jira/browse/AXIS2-5907
             Project: Axis2
          Issue Type: Bug
          Components: kernel
    Affects Versions: 1.6.3
            Reporter: Renukaprasad


We have 2 cases.

Scenario-1:

User enter incorrect service name in URL. Return response will be proper error message "No service", which allow user to guess the possible service names.

<faultstring>The service cannot be found for the endpoint reference (EPR) http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/aaCalculator</faultstring>

Scenario-2:

User invoke the Soap service without soap envelop (No header / body). Error message "No operation & Action is EMPTY"

Invoke the URL from browser without any header info - http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/Calculator

The endpoint reference (EPR) for the Operation not found is /com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null. If this EPR was previously reachable, please contact the server administrator.

 

Both scenarios expose the detailed response to the attacker which could lead to security threat.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]