robert lazarski commented on AXIS2-5907:

Axis2 1.6.3 is long unsupported, the latest version is 1.7.7 .

Invoking axis2 in an invalid way will create Exceptions and errors best handled 
by the application server config. There is also the axis2.xml config, which can 
control fault behavior.

Some of the errors mentioned can be a 404 or 500 error, which can be handled in 
the web.xml via <error-code>404</error-code> and <error-code>500</error-code> 

Furthermore, projects like urlrewrite can redirect with a custom page and 
message when a server url is not formed as expected.



> Axis2 provide detailed error message in AxisFault which lead to security 
> issue.
> -------------------------------------------------------------------------------
>                 Key: AXIS2-5907
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5907
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel
>    Affects Versions: 1.6.3
>            Reporter: Renukaprasad
>            Priority: Major
>              Labels: security
> We have 2 cases.
> Scenario-1:
> User enter incorrect service name in URL. Return response will be proper 
> error message "No service", which allow user to guess the possible service 
> names.
> <faultstring>The service cannot be found for the endpoint reference (EPR) 
> Scenario-2:
> User invoke the Soap service without soap envelop (No header / body). Error 
> message "No operation & Action is EMPTY"
> Invoke the URL from browser without any header info - 
> The endpoint reference (EPR) for the Operation not found is 
> /com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null. 
> If this EPR was previously reachable, please contact the server administrator.
> Both scenarios expose the detailed response to the attacker which could lead 
> to security threat.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to