[ https://issues.apache.org/jira/browse/AXIS2-5907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16357023#comment-16357023 ]
robert lazarski commented on AXIS2-5907: ---------------------------------------- Axis2 1.6.3 is long unsupported, the latest version is 1.7.7 . Invoking axis2 in an invalid way will create Exceptions and errors best handled by the application server config. There is also the axis2.xml config, which can control fault behavior. Some of the errors mentioned can be a 404 or 500 error, which can be handled in the web.xml via <error-code>404</error-code> and <error-code>500</error-code> etc. Furthermore, projects like urlrewrite can redirect with a custom page and message when a server url is not formed as expected. > Axis2 provide detailed error message in AxisFault which lead to security > issue. > ------------------------------------------------------------------------------- > > Key: AXIS2-5907 > URL: https://issues.apache.org/jira/browse/AXIS2-5907 > Project: Axis2 > Issue Type: Bug > Components: kernel > Affects Versions: 1.6.3 > Reporter: Renukaprasad > Priority: Major > Labels: security > > We have 2 cases. > Scenario-1: > User enter incorrect service name in URL. Return response will be proper > error message "No service", which allow user to guess the possible service > names. > <faultstring>The service cannot be found for the endpoint reference (EPR) > http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/aaCalculator</faultstring> > Scenario-2: > User invoke the Soap service without soap envelop (No header / body). Error > message "No operation & Action is EMPTY" > Invoke the URL from browser without any header info - > http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/Calculator > The endpoint reference (EPR) for the Operation not found is > /com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null. > If this EPR was previously reachable, please contact the server administrator. > > Both scenarios expose the detailed response to the attacker which could lead > to security threat. > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org