[prev in list] [next in list] [prev in thread] [next in thread] 

List:       axis-user-ja
Subject:    [jira] [Updated] (AXIS2-6063) Add enableJSONOnly parameter to axis2.xml
From:       "Robert Lazarski (Jira)" <jira () apache ! org>
Date:       2023-12-29 16:38:00
Message-ID: JIRA.13563182.1703865955000.98120.1703867880021 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/AXIS2-6063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Robert Lazarski updated AXIS2-6063:
-----------------------------------
    Fix Version/s: 1.8.3

> Add enableJSONOnly parameter to axis2.xml
> -----------------------------------------
> 
> Key: AXIS2-6063
> URL: https://issues.apache.org/jira/browse/AXIS2-6063
> Project: Axis2
> Issue Type: Bug
> Reporter: Robert Lazarski
> Assignee: Robert Lazarski
> Priority: Major
> Fix For: 1.8.3
> 
> 
> {color:#000000}Purposely using incorrect HTTP headers such as content-type can \
> expose i{color}nternal Axis2 library stack traces when using JSON based web \
> services - with the intent of REST and SOAP being disabled. See below for an \
> example: {color:#000000}<faultstring>org.apache.axiom.core.stream.StreamException: \
> com.ctc.wstx.{color}exc.WstxUnexpectedCharException: Unexpected character '{' \
> (code123) in prolog; expected '<' {color:#000000}* Connection #0 to host fake.com \
> left intact {color} at [row,col 
> {unknown-source}
> ]: [1,1]</faultstring>
> This can be considered a "{color:#000000}Sensitive Information Disclosure{color}" \
> by penetration testers. Adding enableJSONOnly which will throw a HTTP 500 error \
> when enabled and the content-type is not application/json to our distributed \
> axis2.xml with a default of false solves the problem, as JSON based Axis2 web \
> services are disabled by default too.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic