[
https://issues.apache.org/jira/browse/AXIS2-5700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621133#comment-14621133
]
Randall Vasquez edited comment on AXIS2-5700 at 7/9/15 7:46 PM:
----------------------------------------------------------------
Yes you are correct.
The envelope should be done according to spec under normal circumstances.
However in this case it is being done on purpose and the expected result is
that the fault should be processed through the defined fault handler. This is
what I am actually reporting.
Instead of going through any handler defined in the InFaultFlow or the
OutFaultFlow which in our case would suppress the component/class name
"com.ctc.wstx.exc.WstxUnexpectedCharException", a fault is being thrown that
leaks this name out.
We are trying to suppress any such leaked class/component names which may
provide information about the application/framework that may assist a hacker in
a future attack.
was (Author: rvasquez):
Yes you are correct.
The envelope should be done according to spec under normal circumstances.
However in this case it is being done on purpose and the expected result is
that the fault should be processed through the defined fault handler. This is
what I am actually reporting.
Instead of going through any handler defined in the InFaultFlow or the
OutFaultFlow which in our case would suppress the component/class name
"com.ctc.wstx.exc.WstxUnexpectedCharException", a fault is being thrown that
leaks this name out.
We are trying to suppress any such leaked information which may provide
information about the application/framework that may assist a hacker in a
future attack.
> Fault Handler not reached when soap envelope contains empty namespace
> ---------------------------------------------------------------------
>
> Key: AXIS2-5700
> URL: https://issues.apache.org/jira/browse/AXIS2-5700
> Project: Axis2
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.6.2
> Environment: Windows 7 Professional. Java 6+, Tomcat, JBoss.
> Reporter: Randall Vasquez
>
> A customer has a requirement that our application be secure. One of the
> issues brought up was component names being leaked in error messages which
> may assist hackers by providing info they may use in future attacks.
> To resolve this issue we attempted to use a simple custom handler that checks
> for a fault and replaces the message with something more generic.
> The axis2.xml file was then modified to include the handler within the
> InFaultFlow and OutFaultFlows in the appropriate section as defined by the
> axis2.xml.
> However when a namespace is empty in the soap message or there is an issue in
> the envelope at the root element
>
> example:
> <Envelope xmlns:soapenv=""
> ...otherwise well constructed soap message
> </Envelope>
> the AxisServlet throws an AxisFault exception bypassing the handlers
> and leaking info
> example result:
> <soapenv:Envelope
> ...
> ><faultstring>com.ctc.wstx.exc.WstxUnexpectedCharException: Illegal character
> >(NULL, unicode 0) encountered: not valid in any content
> at [row,col {unknown-source}]: [1,313]</faultstring>
> ..
> </soapenv:Envelope>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
