[
https://issues.apache.org/jira/browse/AXIS2-6063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski updated AXIS2-6063:
-----------------------------------
Description:
{color:#000000}Purposely using incorrect HTTP headers such as content-type can
expose i{color}nternal Axis2 library stack traces when using JSON based web
services - with the intent of REST and SOAP being disabled.
See below for an example:
{color:#000000}<faultstring>org.apache.axiom.core.stream.StreamException:
com.ctc.wstx.{color}exc.WstxUnexpectedCharException: Unexpected character '{'
(code123) in prolog; expected '<'
{color:#000000}* Connection #0 to host fake.com left intact {color}
at [row,col \\{unknown-source}]: [1,1]</faultstring>
This can be considered a "{color:#000000}Sensitive Information
Disclosure{color}" by penetration testers.
Adding enableJSONOnly to our distributed axis2.xml with a default of false
solves the problem, as JSON based Axis2 web services are disabled by default
too.
was:
{color:#000000}Purposely using incorrect HTTP headers such as content-type can
expose i{color}nternal Axis2 library stack traces when using JSON based web
services - with the intent of REST and SOAP being disabled.
See below for an example:
{color:#000000}<faultstring>org.apache.axiom.core.stream.StreamException:
com.ctc.wstx.{color}exc.WstxUnexpectedCharException: Unexpected character '{'
(code123) in prolog; expected '<'
{color:#000000}* Connection #0 to host fake.com left intact {color}
at [row,col \{unknown-source}]: [1,1]</faultstring>
This can be considered a "{color:#000000}Sensitive Information
Disclosure{color}" by penetration testers.
Adding enable)SONOnly to our distributed axis2.xml with a default of false
solves the problem, as JSON based Axis2 web services are disabled by default
too.
> Add enableJSONOnly parameter to axis2.xml
> -----------------------------------------
>
> Key: AXIS2-6063
> URL: https://issues.apache.org/jira/browse/AXIS2-6063
> Project: Axis2
> Issue Type: Bug
> Reporter: Robert Lazarski
> Assignee: Robert Lazarski
> Priority: Major
>
> {color:#000000}Purposely using incorrect HTTP headers such as content-type
> can expose i{color}nternal Axis2 library stack traces when using JSON based
> web services - with the intent of REST and SOAP being disabled.
> See below for an example:
> {color:#000000}<faultstring>org.apache.axiom.core.stream.StreamException:
> com.ctc.wstx.{color}exc.WstxUnexpectedCharException: Unexpected character '{'
> (code123) in prolog; expected '<'
> {color:#000000}* Connection #0 to host fake.com left intact {color}
> at [row,col \\{unknown-source}]: [1,1]</faultstring>
> This can be considered a "{color:#000000}Sensitive Information
> Disclosure{color}" by penetration testers.
> Adding enableJSONOnly to our distributed axis2.xml with a default of false
> solves the problem, as JSON based Axis2 web services are disabled by default
> too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
