axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randall Vasquez (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AXIS2-5700) Fault Handler not reached when soap envelope contains empty namespace
Date Thu, 09 Jul 2015 19:47:04 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621133#comment-14621133
] 

Randall Vasquez edited comment on AXIS2-5700 at 7/9/15 7:46 PM:
----------------------------------------------------------------

Yes you are correct. 
The envelope should be done according to spec under normal circumstances.
However in this case it is being done on purpose and the expected result is that the fault
should be processed through the defined fault handler. This is what I am actually reporting.
Instead of going through any handler defined in the  InFaultFlow or the OutFaultFlow which
in our case would suppress the component/class name "com.ctc.wstx.exc.WstxUnexpectedCharException",
a fault is being thrown that leaks this name out.

We are trying to suppress any such leaked class/component names which may provide information
about the application/framework that may assist a hacker in a future attack.


was (Author: rvasquez):
Yes you are correct. 
The envelope should be done according to spec under normal circumstances.
However in this case it is being done on purpose and the expected result is that the fault
should be processed through the defined fault handler. This is what I am actually reporting.
Instead of going through any handler defined in the  InFaultFlow or the OutFaultFlow which
in our case would suppress the component/class name "com.ctc.wstx.exc.WstxUnexpectedCharException",
a fault is being thrown that leaks this name out.

We are trying to suppress any such leaked information which may provide information about
the application/framework that may assist a hacker in a future attack.

> Fault Handler not reached when soap envelope contains empty namespace
> ---------------------------------------------------------------------
>
>                 Key: AXIS2-5700
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5700
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel
>    Affects Versions: 1.6.2
>         Environment: Windows 7 Professional. Java 6+, Tomcat, JBoss.
>            Reporter: Randall Vasquez
>
> A customer has a requirement that our application be secure. One of the issues brought
up was component names being leaked in error messages which may assist hackers by providing
info they may use in future attacks.
> To resolve this issue we attempted to use a simple custom handler that checks for a fault
and replaces the message with something more generic.
> The axis2.xml file was then modified to include the handler within the InFaultFlow and
OutFaultFlows in the appropriate section as defined by the axis2.xml.
> However when a namespace is empty in the soap message or there is an issue in the envelope
at the root element
>  
> example:
> <Envelope xmlns:soapenv="" 
> ...otherwise well constructed soap message
> </Envelope>
> the AxisServlet throws an AxisFault exception bypassing the handlers
> and leaking info
> example result:
>  <soapenv:Envelope 
> ...
> ><faultstring>com.ctc.wstx.exc.WstxUnexpectedCharException: Illegal character
(NULL, unicode 0) encountered: not valid in any content
>  at [row,col {unknown-source}]: [1,313]</faultstring>
> ..
> </soapenv:Envelope>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message