[jira] [Updated] (AXIS2-6063) Add enableJSONOnly parameter to axis2.xml

Robert Lazarski (Jira) Fri, 29 Dec 2023 08:17:07 -0800


     [ 
https://issues.apache.org/jira/browse/AXIS2-6063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Lazarski updated AXIS2-6063:
-----------------------------------
    Description: 
{color:#000000}Purposely using incorrect HTTP headers such as content-type can 
expose i{color}nternal Axis2 library stack traces when using JSON based web 
services - with the intent of REST and SOAP being disabled.


See below for an example: 

{color:#000000}<faultstring>org.apache.axiom.core.stream.StreamException: 
com.ctc.wstx.{color}exc.WstxUnexpectedCharException: Unexpected character '{' 
(code123) in prolog; expected '&lt;'


{color:#000000}* Connection #0 to host fake.com left intact {color}
at [row,col \{unknown-source}]: [1,1]</faultstring>


This can be considered a "{color:#000000}Sensitive Information 
Disclosure{color}" by penetration testers. 

Adding enable)SONOnly to our distributed axis2.xml with a default of false 
solves the problem, as JSON based Axis2 web services are disabled by default 
too.

> Add enableJSONOnly parameter to axis2.xml
> -----------------------------------------
>
>                 Key: AXIS2-6063
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6063
>             Project: Axis2
>          Issue Type: Bug
>            Reporter: Robert Lazarski
>            Assignee: Robert Lazarski
>            Priority: Major
>
> {color:#000000}Purposely using incorrect HTTP headers such as content-type 
> can expose i{color}nternal Axis2 library stack traces when using JSON based 
> web services - with the intent of REST and SOAP being disabled.
> See below for an example: 
> {color:#000000}<faultstring>org.apache.axiom.core.stream.StreamException: 
> com.ctc.wstx.{color}exc.WstxUnexpectedCharException: Unexpected character '{' 
> (code123) in prolog; expected '&lt;'
> {color:#000000}* Connection #0 to host fake.com left intact {color}
> at [row,col \{unknown-source}]: [1,1]</faultstring>
> This can be considered a "{color:#000000}Sensitive Information 
> Disclosure{color}" by penetration testers. 
> Adding enable)SONOnly to our distributed axis2.xml with a default of false 
> solves the problem, as JSON based Axis2 web services are disabled by default 
> too.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-6063) Add enableJSONOnly parameter to axis2.xml

Reply via email to