axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "fateh.singh" <fateh.si...@newgen.co.in>
Subject RE: [Axis2] : Application Error message in Acunetix Report
Date Wed, 31 Jan 2018 05:27:17 GMT
Hi Folks,

 

Any help on this would be appreciated!!!

 

 

Regards,

Fateh Singh,

Extn: 612 (Gurgaon)

 

From: fateh.singh [mailto:fateh.singh@newgen.co.in] 
Sent: Monday, January 29, 2018 10:59 AM
To: 'java-dev@axis.apache.org'
Cc: 'Nitin Kumar'; 'Puneet Pahuja'; 'Sandeep Singh Raghuvanshi'
Subject: [Axis2] : Application Error message in Acunetix Report

 

Hi Team,

 

We scanned the axis2 version 1.7.6 with Acunetix to find security threats.
Acunetix reported an issue "Application Error Message". We are getting
response code 500 with error message "Internal Server Error".

We tried replacing  "axis2.war\axis2-web\Error\error500.jsp" with custom
jsp/html file and updated the same in web.xml at location
"axis2.war\WEB-INF" but it did not solve our problem. Please help us
removing this from Acunetix report. For your reference snippet  of Acunetix
report is given below.

 

                Description

                        This alert requires manual confirmation Application
error or warning messages may expose sensitive information about an
application's internal workings to an attacker. Acunetix found an error or
warning                           message that may disclose sensitive
information. The message may also contain the location of the file that
produced an unhandled exception. Consult the 'Attack details' section for
more information about the              affected page.

            Impact

                        Error messages may disclose sensitive information
which can be used to escalate attacks.

            Affected items

 
/axis2/services/ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint

                        Details

                                    WSDL input
ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint.wfUploadWorkitem.a
ddress was set to bHpHRENnODc1b3l0MkQ1TTJyd0lJNw==

                        Pattern found:

                                    Internal Server Error

                        Request headers

                                    POST

 
/axis2/services/ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint/wf
UploadWorkitem

                                    HTTP/1.1

                                    Content-Type:
application/x-www-form-urlencoded

                                    Cookie:
JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2; JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2

                                    Host: 192.168.57.103:8080

                                    Content-Length: 0

                                    Connection: Keep-alive

                                    Accept-Encoding: gzip,deflate

                                    User-Agent: Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.21 (KHTML, like Gecko)

                                    Chrome/41.0.2228.0 Safari/537.21

                                    Acunetix-Product: WVS/11.0 (Acunetix -
WVSE)

                                    Acunetix-Scanning-agreement: Third Party
Scanning PROHIBITED

                                    Acunetix-User-agreement:
http://www.acunetix.com/wvs/disc.htm

                                    Accept: */*

                                    

 

 

Regards,

Fateh Singh,

 


Disclaimer :- This e-mail and any attachment may contain confidential, proprietary or legally
privileged information. If you are not the original intended recipient and have erroneously
received this message, you are prohibited from using, copying, altering or disclosing the
content of this message. Please delete it immediately and notify the sender. Newgen Software
Technologies Ltd (NSTL)  accepts no responsibilities for loss or damage arising from the use
of the information transmitted by this email including damages from virus and further acknowledges
that no binding nature of the message shall be implied or assumed unless the sender does so
expressly with due authority of NSTL.

Mime
View raw message