Hi, I'm concerned about SOAPAction Spoofing (https://www.ws-attacks.org/SOAPAction_Spoofing) in CXF 3.2.9. My webservice has two operations: Operation1 and Operation2. I noticed that when SOAP request is sent with body <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:exam="…"> <soapenv:Header/> <soapenv:Body> <exam:Operation1/> </soapenv:Body> </soapenv:Envelope> And SOAPAction HTTP header = …/Operation2
Operation2 is invoked by CXF. I wonder if this behavior is expected and secure? It seems that CXF validates SOAPAction header against WSDL (when the request has SOAPAction header with an operation which does not exist in wsdl the result is Fault – ‘The given SOAPAction a does not match an operation.’). However it does not compare it with the operation inside of the request body. If SOAPAction header is empty the operation inside of the request body is taken into account when selecting the operation to invoke. I found a similar issue which had been resolved before in an older version of the library http://cxf.apache.org/cve-2012-3451.html “In some cases, CXF uses the received SOAP Action to select the correct operation to invoke, and does not check to see that the message body is correct. This can be exploitable to execute a SOAP Action spoofing attack, where an adversary can execute another operation in the web service by sending the corresponding SOAP Action.” Regards, Tomasz -- Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
