[AXIS2-5907] Axis2 provide detailed error message in AxisFault which lead to security issue. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: 1.6.3
Fix Version/s: None
Component/s: kernel
Labels:
- security

Description

We have 2 cases.

Scenario-1:

User enter incorrect service name in URL. Return response will be proper error message "No service", which allow user to guess the possible service names.

<faultstring>The service cannot be found for the endpoint reference (EPR) http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/aaCalculator</faultstring>

Scenario-2:

User invoke the Soap service without soap envelop (No header / body). Error message "No operation & Action is EMPTY"

Invoke the URL from browser without any header info - http://10.18.250.242:19993/com.huawei.ebus.webapp.basic/services/Calculator

The endpoint reference (EPR) for the Operation not found is /com.huawei.ebus.webapp.basic/services/Calculator and the WSA Action = null. If this EPR was previously reachable, please contact the server administrator.

Both scenarios expose the detailed response to the attacker which could lead to security threat.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Renukaprasad

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Feb/18 07:10

Updated:: 01/Jun/18 13:36

Resolved:: 01/Jun/18 13:36