Hi folks, I didn't know this list was still alive, and I don't work for Apache (and this isn't so much a support mailing list, so you won't get whom you addressed stuff to), but it looks like it's a SOAP error, so not Tomcat so much as whatever ancient web-services interface you've set up. Tomcat's just dutifully passing up the error, I imagine. The error's you can conveniently replace with tomcat are the server-level error-code ones (like 404), but this is a different beast, so it's a red herring to look there. Whomever set this up would likely know where the SOAP interface began and should know who to either catch/wrap things coming out sensibly, or manually adjust the errors.
The specific error looks like the "closing" end of an XML comment being found some place it doesn't belong, so presumably, this is just a parse error inside the SOAP thing you're using. On Wed, Aug 24, 2022 at 6:12 AM MOHD AMIR FAIZ <a...@msctrustgate.com.invalid> wrote: > > Hi Tomcat Support, > > Based on our current setup, Apache Tomcat Version 9.0.65 is installed on top > of Windows Operating System. The server is basically dedicated for an > API-based Program where there is an integration process occur between our API > & client’s Application. > > We had gone through a Penetration Test activity recently and there is 1 test > case that we encounter related to error handling in Tomcat. What the > pen-tester do is they purposely insert the wrong formatting input validation > just to see the response received on Client’s Application level. However, the > input not even submitted to Application level since it has been > removed/eliminated automatically by the Tomcat and generate some technical > error message. According to the pen-tester team, that error message should be > customize to non-technical message to avoid any exploitation activity occur. > We had tried to find solution for that in Tomcat, however we can’t implement > as they requested. > > Hence, we would like to get clarification from Tomcat Team, is there any ways > that the error message can be customize in Tomcat? And is there any potential > risk that Application might have when this kind of error message is being > exposed? Sample of the Tomcat error message response as below: > > > <S: Envelope xmlns: S=http://schemas.xmlsoap.org/soap/envelope.> > <S:Body> > <S:Fault xmlns:ns4=http://www.w3.org/2003/05/soap-envelope> > <faultcode>S:Server</faultcode> > <faultstring>javax.xml.bind.UnmarchalException > -with linked exception: > [com.ctc.wstx.exc.WstcParsingException: String ‘]]>’ not allowed in > textual content, except as the end marshalexception at [row,col > {unknown-source}]: [8,26]]</faultstring> > </S:Fault> > </S:Body> > </S:Envelope> > > > > > Thanks and have a good day, > > Amir > > Project Manager > Project Management Office > > > MSC Trustgate.com Sdn. Bhd. (478231-x) > Suite 2-9,Level 2, Block 4801 > CBD Perdana, Jalan Perdana > 63000 Cyberjaya > Selangor Darul Ehsan > Malaysia > Tel: +603 8318 1800 > Fax: +603 8319 1800 > HP: +6017 3913905 > a...@msctrustgate.com > -- Dr. Stuart Thiel, P. Eng. --------------------------------------------------------------------- To unsubscribe, e-mail: taglibs-user-unsubscr...@tomcat.apache.org For additional commands, e-mail: taglibs-user-h...@tomcat.apache.org
