Review

Detector:

Findbugs

Target:

project '

axis1

' version

1.2

Tags:

vulnerability

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-4
In File:	org/apache/axis/transport/http/AxisServlet.java
In Method:	reportCantGetJWSService(HttpServletRequest, HttpServletResponse, PrintWriter)
Code with Finding:	class AxisServlet { /** * probe for a JWS page and report 'no service' if one is not found there * @param request the request that didnt have an edpoint * @param response response we are generating * @param writer open writer for the request */ protected void reportCantGetJWSService(HttpServletRequest request, HttpServletResponse response, PrintWriter writer) { // first look to see if there is a service // requestPath is a work around to support serving .jws web services // from services URL - see AXIS-843 for more information String requestPath = request.getServletPath() + ((request.getPathInfo() != null) ? request.getPathInfo() : ""); String realpath = getServletConfig().getServletContext() .getRealPath(requestPath); log.debug("JWS real path: " + realpath); boolean foundJWSFile = (new File(realpath).exists()) && (realpath.endsWith(Constants. JWS_DEFAULT_FILE_EXTENSION)); response.setContentType("text/html; charset=utf-8"); if (foundJWSFile) { response.setStatus(HttpURLConnection.HTTP_OK); writer.println(Messages.getMessage("foundJWS00") + "<p>"); String url = request.getRequestURI(); String urltext = Messages.getMessage("foundJWS01"); writer.println("<a href='" + url + "?wsdl'>" + urltext + "</a>"); } else { response.setStatus(HttpURLConnection.HTTP_NOT_FOUND); writer.println(Messages.getMessage("noService06")); } } }

Metadata

Hit	Rank	Desc	Type	Violations
Yes	4	SECXSS2: This use of java/io/PrintWriter.println(Ljava/lang/String;)V could be vulnerable to XSS	XSS_SERVLET

Reviewer Name:	vidya
Comment: