axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robertlazarski ." <robertlazar...@gmail.com>
Subject Re: [Axis2] : Application Error message in Acunetix Report
Date Wed, 31 Jan 2018 11:09:23 GMT
See my previous response from a few days ago, my suggestion is that you can
fix the info leak via the application server config,

On Tue, Jan 30, 2018 at 10:27 PM, fateh.singh <fateh.singh@newgen.co.in>
wrote:

> Hi Folks,
>
>
>
> Any help on this would be appreciated!!!
>
>
>
>
>
> Regards,
>
> Fateh Singh,
>
> Extn: 612 (Gurgaon)
>
>
>
> *From:* fateh.singh [mailto:fateh.singh@newgen.co.in]
> *Sent:* Monday, January 29, 2018 10:59 AM
> *To:* 'java-dev@axis.apache.org'
> *Cc:* 'Nitin Kumar'; 'Puneet Pahuja'; 'Sandeep Singh Raghuvanshi'
> *Subject:* [Axis2] : Application Error message in Acunetix Report
>
>
>
> Hi Team,
>
>
>
> We scanned the *axis2 version 1.7.6* with *Acunetix* to find security
> threats. Acunetix reported an issue "*Application Error Message*". We are
> getting *response code 500* with error message *"Internal Server Error"*.
>
> We tried replacing  "axis2.war\axis2-web\Error\error500.jsp" with custom
> jsp/html file and updated the same in web.xml at location
> "axis2.war\WEB-INF" but it did not solve our problem. Please help us
> removing this from Acunetix report. For your reference snippet  of Acunetix
> report is given below.
>
>
>
>                 *Description*
>
>                         This alert requires manual confirmation
> Application error or warning messages may expose sensitive information
> about an application's internal workings to an attacker. Acunetix found an
> error or warning                           message that may disclose
> sensitive information. The message may also contain the location of the
> file that produced an unhandled exception. Consult the 'Attack details'
> section for more information about the              affected page.
>
> *            Impact*
>
>                         Error messages may disclose sensitive information
> which can be used to escalate attacks.
>
>             *Affected items*
>
> *
> /axis2/services/ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint*
>
>                         Details
>
>                                     WSDL input *ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint.wfUploadWorkitem.address
> *was set to *bHpHRENnODc1b3l0MkQ1TTJyd0lJNw==*
>
>                         Pattern found:
>
>                                     Internal Server Error
>
>                         Request headers
>
>                                     POST
>
>                                     /axis2/services/ibps07jan_11_
> 1_service.ibps07jan_11_1_serviceHttpEndpoint/wfUploadWorkitem
>
>                                     HTTP/1.1
>
>                                     Content-Type: application/x-www-form-
> urlencoded
>
>                                     Cookie: JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2;
> JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2
>
>                                     Host: 192.168.57.103:8080
>
>                                     Content-Length: 0
>
>                                     Connection: Keep-alive
>
>                                     Accept-Encoding: gzip,deflate
>
>                                     User-Agent: Mozilla/5.0 (Windows NT
> 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
>
>                                     Chrome/41.0.2228.0 Safari/537.21
>
>                                     Acunetix-Product: WVS/11.0 (Acunetix
> - WVSE)
>
>                                     Acunetix-Scanning-agreement: Third
> Party Scanning PROHIBITED
>
>                                     Acunetix-User-agreement:
> http://www.acunetix.com/wvs/disc.htm
>
>                                     Accept: */*
>
>
>
>
>
>
>
> Regards,
>
> Fateh Singh,
>
>
>
> Disclaimer :- This e-mail and any attachment may contain confidential,
> proprietary or legally privileged information. If you are not the original
> intended recipient and have erroneously received this message, you are
> prohibited from using, copying, altering or disclosing the content of this
> message. Please delete it immediately and notify the sender. Newgen
> Software Technologies Ltd (NSTL) accepts no responsibilities for loss or
> damage arising from the use of the information transmitted by this email
> including damages from virus and further acknowledges that no binding
> nature of the message shall be implied or assumed unless the sender does so
> expressly with due authority of NSTL.
>
>

Mime
View raw message