[
https://issues.apache.org/jira/browse/AXIS2-5907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
robert lazarski closed AXIS2-5907.
----------------------------------
Resolution: Won't Fix
> Axis2 provide detailed error message in AxisFault which lead to security
> issue.
> -------------------------------------------------------------------------------
>
> Key: AXIS2-5907
> URL: https://issues.apache.org/jira/browse/AXIS2-5907
> Project: Axis2
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.6.3
> Reporter: Renukaprasad
> Priority: Major
> Labels: security
>
> We have 2 cases.
> Scenario-1:
> User enter incorrect service name in URL. Return response will be proper
> error message "No service", which allow user to guess the possible service
> names.
> <faultstring>The service cannot be found for the endpoint reference (EPR)
> http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/aaCalculator</faultstring>
> Scenario-2:
> User invoke the Soap service without soap envelop (No header / body). Error
> message "No operation & Action is EMPTY"
> Invoke the URL from browser without any header info -
> http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/Calculator
> The endpoint reference (EPR) for the Operation not found is
> /com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null.
> If this EPR was previously reachable, please contact the server administrator.
>
> Both scenarios expose the detailed response to the attacker which could lead
> to security threat.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
