[
https://issues.apache.org/jira/browse/AXIS-2868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13293933#comment-13293933
]
Vijeya Aravindan commented on AXIS-2868:
----------------------------------------
Hi Axis Team,
Can you please update on the status of this ticket? This seems to be a critical
issue from a security perspective.
Best
Vijeya
> Invalid Input passed in by the user for an input argument is reflected in the
> output when Axis throws the exception to the caller
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS-2868
> URL: https://issues.apache.org/jira/browse/AXIS-2868
> Project: Axis
> Issue Type: Bug
> Components: Distribution
> Affects Versions: 1.4
> Environment: Any OS
> Reporter: Vijeya Aravindan
>
> This issue was reported by our security team post audit and hence creating
> this tik:
> 1) Our Soap service is layered on Axis and the stub and skeletons are auto
> generated by feeding the WSDL and XSD to Axis wsdl2java.
> 2) The Axis layer validates the type of the input parameter coming in as part
> of the request against the types defined in the XSD.
> 3) In this case, for a parameter defined as long in the xsd, the Security
> team passed in a String parameter. Axis threw a Java Number Format Exception
> as expected and the String parameter passed as the invalid input got
> reflected in the output response as part of this exception
> 4) The response in this case is:
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
> <soapenv:Body>
> <soapenv:Fault>
> <faultcode>soapenv:Server</faultcode>
> <faultstring>For input string:
> "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"</faultstring>
> <detail>
> java.lang.NumberFormatException: For input string: "invalid string:
> "a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"
> The concern from our Security Team is that "This may lead to XSS attack if
> the consumer of the service does not perform output encoding".
> 5) Since this validation is done by Axis Skeleton layer even before the call
> back comes to the user defined registered implementation, upon recommendation
> from our Security team, we request Axis team to sanitize this output to
> prevent the actual invalid string from appearing in the output response.
> Thanks,
> Vijey
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
