[
https://issues.apache.org/jira/browse/AXIS2-6063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski updated AXIS2-6063:
-----------------------------------
Fix Version/s: 1.8.3
> Add enableJSONOnly parameter to axis2.xml
> -----------------------------------------
>
> Key: AXIS2-6063
> URL: https://issues.apache.org/jira/browse/AXIS2-6063
> Project: Axis2
> Issue Type: Bug
> Reporter: Robert Lazarski
> Assignee: Robert Lazarski
> Priority: Major
> Fix For: 1.8.3
>
>
> {color:#000000}Purposely using incorrect HTTP headers such as content-type
> can expose i{color}nternal Axis2 library stack traces when using JSON based
> web services - with the intent of REST and SOAP being disabled.
> See below for an example:
> {color:#000000}<faultstring>org.apache.axiom.core.stream.StreamException:
> com.ctc.wstx.{color}exc.WstxUnexpectedCharException: Unexpected character '{'
> (code123) in prolog; expected '<'
> {color:#000000}* Connection #0 to host fake.com left intact {color}
> at [row,col
> {unknown-source}
> ]: [1,1]</faultstring>
> This can be considered a "{color:#000000}Sensitive Information
> Disclosure{color}" by penetration testers.
> Adding enableJSONOnly which will throw a HTTP 500 error when enabled and the
> content-type is not application/json to our distributed axis2.xml with a
> default of false solves the problem, as JSON based Axis2 web services are
> disabled by default too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
