axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robertlazarski ." <robertlazar...@gmail.com>
Subject Re: [Axis2] : Application Error message in Acunetix Report
Date Mon, 29 Jan 2018 18:36:05 GMT
On Sun, Jan 28, 2018 at 10:29 PM, fateh.singh <fateh.singh@newgen.co.in>
wrote:

> Hi Team,
>
>
>
> We scanned the *axis2 version 1.7.6* with *Acunetix* to find security
> threats. Acunetix reported an issue "*Application Error Message*". We are
> getting *response code 500* with error message *"Internal Server Error"*.
>
> We tried replacing  "axis2.war\axis2-web\Error\error500.jsp" with custom
> jsp/html file and updated the same in web.xml at location
> "axis2.war\WEB-INF" but it did not solve our problem. Please help us
> removing this from Acunetix report. For your reference snippet  of Acunetix
> report is given below.
>
>
>
>                 *Description*
>
>                         This alert requires manual confirmation
> Application error or warning messages may expose sensitive information
> about an application's internal workings to an attacker. Acunetix found an
> error or warning                           message that may disclose
> sensitive information. The message may also contain the location of the
> file that produced an unhandled exception. Consult the 'Attack details'
> section for more information about the              affected page.
>
> *            Impact*
>
>                         Error messages may disclose sensitive information
> which can be used to escalate attacks.
>
>             *Affected items*
>
> *
> /axis2/services/ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint*
>
>                         Details
>
>                                     WSDL input *ibps07jan_11_1_service.ibps07jan_11_1_serviceHttpEndpoint.wfUploadWorkitem.address
> *was set to *bHpHRENnODc1b3l0MkQ1TTJyd0lJNw==*
>
>                         Pattern found:
>
>                                     Internal Server Error
>
>                         Request headers
>
>                                     POST
>
>                                     /axis2/services/ibps07jan_11_
> 1_service.ibps07jan_11_1_serviceHttpEndpoint/wfUploadWorkitem
>
>                                     HTTP/1.1
>
>                                     Content-Type: application/x-www-form-
> urlencoded
>
>                                     Cookie: JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2;
> JSESSIONID=2hgS8DeuNDFLGn8nUOaDlGG2
>
>                                     Host: 192.168.57.103:8080
>
>                                     Content-Length: 0
>
>                                     Connection: Keep-alive
>
>                                     Accept-Encoding: gzip,deflate
>
>                                     User-Agent: Mozilla/5.0 (Windows NT
> 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
>
>                                     Chrome/41.0.2228.0 Safari/537.21
>
>                                     Acunetix-Product: WVS/11.0 (Acunetix
> - WVSE)
>
>                                     Acunetix-Scanning-agreement: Third
> Party Scanning PROHIBITED
>
>                                     Acunetix-User-agreement:
> http://www.acunetix.com/wvs/disc.htm
>
>                                     Accept: */*
>
>
>
>
>
>
>
> Regards,
>
> Fateh Singh,
>
>
>
> Disclaimer :- This e-mail and any attachment may contain confidential,
> proprietary or legally privileged information. If you are not the original
> intended recipient and have erroneously received this message, you are
> prohibited from using, copying, altering or disclosing the content of this
> message. Please delete it immediately and notify the sender. Newgen
> Software Technologies Ltd (NSTL) accepts no responsibilities for loss or
> damage arising from the use of the information transmitted by this email
> including damages from virus and further acknowledges that no binding
> nature of the message shall be implied or assumed unless the sender does so
> expressly with due authority of NSTL.
>
>
Best I can tell, the issue is "sensitive information" can exposed on axis2
500 errors.

That problem is typically handled at the application server level.

Typically at the application servers level,  you can disable Exception
stack traces and also not display the server info.

For example on Wildfly, this config will prevent axis2 stack traces and
server info from being exposed.

             <servlet-container name="default" stack-trace-on-error="none" >
                <jsp-config display-source-fragment="false"
x-powered-by="false"/>
                <websockets/>
            </servlet-container>

- R

Mime
View raw message