Renukaprasad created AXIS2-5907:
-----------------------------------
Summary: Axis2 provide detailed error message in AxisFault which
lead to security issue.
Key: AXIS2-5907
URL: https://issues.apache.org/jira/browse/AXIS2-5907
Project: Axis2
Issue Type: Bug
Components: kernel
Affects Versions: 1.6.3
Reporter: Renukaprasad
We have 2 cases.
Scenario-1:
User enter incorrect service name in URL. Return response will be proper error
message "No service", which allow user to guess the possible service names.
<faultstring>The service cannot be found for the endpoint reference (EPR)
http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/aaCalculator</faultstring>
Scenario-2:
User invoke the Soap service without soap envelop (No header / body). Error
message "No operation & Action is EMPTY"
Invoke the URL from browser without any header info -
http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/Calculator
The endpoint reference (EPR) for the Operation not found is
/com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null. If
this EPR was previously reachable, please contact the server administrator.
Both scenarios expose the detailed response to the attacker which could lead to
security threat.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
