See my previous response from a few days ago, my suggestion is that you can fix the info leak via the application server config,
On Tue, Jan 30, 2018 at 10:27 PM, fateh.singh <fateh.si...@newgen.co.in> wrote: > Hi Folks, > > > > Any help on this would be appreciated!!! > > > > > > Regards, > > Fateh Singh, > > Extn: 612 (Gurgaon) > > > > *From:* fateh.singh [mailto:fateh.si...@newgen.co.in] > *Sent:* Monday, January 29, 2018 10:59 AM > *To:* 'java-dev@axis.apache.org' > *Cc:* 'Nitin Kumar'; 'Puneet Pahuja'; 'Sandeep Singh Raghuvanshi' > *Subject:* [Axis2] : Application Error message in Acunetix Report > > > > Hi Team, > > > > We scanned the *axis2 version 1.7.6* with *Acunetix* to find security > threats. Acunetix reported an issue "*Application Error Message*". We are > getting *response code 500* with error message *"Internal Server Error"*. > > We tried replacing "axis2.war\axis2-web\Error\error500.jsp" with custom > jsp/html file and updated the same in web.xml at location > "axis2.war\WEB-INF" but it did not solve our problem. Please help us > removing this from Acunetix report. For your reference snippet of Acunetix > report is given below. > > > > *Description* > > This alert requires manual confirmation > Application error or warning messages may expose sensitive information > about an application's internal workings to an attacker. Acunetix found an > error or warning message that may disclose > sensitive information. The message may also contain the location of the > file that produced an unhandled exception. Consult the 'Attack details' > section for more information about the affected page. > > * Impact* > > Error messages may disclose sensitive information > which can be used to escalate attacks. > > *Affected items* > > * > /axis2/services/ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint* > > Details > > WSDL input > *ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint.wfUploadWorkitem.address > *was set to *bHpHRENnODc1b3l0MkQ1TTJyd0lJNw==* > > Pattern found: > > Internal Server Error > > Request headers > > POST > > /axis2/services/ibps07jan_11_ > 1_service.ibps07jan_11_1_serviceHttpEndpoint/wfUploadWorkitem > > HTTP/1.1 > > Content-Type: application/x-www-form- > urlencoded > > Cookie: > JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2; > JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2 > > Host: 192.168.57.103:8080 > > Content-Length: 0 > > Connection: Keep-alive > > Accept-Encoding: gzip,deflate > > User-Agent: Mozilla/5.0 (Windows NT > 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) > > Chrome/41.0.2228.0 Safari/537.21 > > Acunetix-Product: WVS/11.0 (Acunetix > - WVSE) > > Acunetix-Scanning-agreement: Third > Party Scanning PROHIBITED > > Acunetix-User-agreement: > http://www.acunetix.com/wvs/disc.htm > > Accept: */* > > > > > > > > Regards, > > Fateh Singh, > > > > Disclaimer :- This e-mail and any attachment may contain confidential, > proprietary or legally privileged information. If you are not the original > intended recipient and have erroneously received this message, you are > prohibited from using, copying, altering or disclosing the content of this > message. Please delete it immediately and notify the sender. Newgen > Software Technologies Ltd (NSTL) accepts no responsibilities for loss or > damage arising from the use of the information transmitted by this email > including damages from virus and further acknowledges that no binding > nature of the message shall be implied or assumed unless the sender does so > expressly with due authority of NSTL. > >
