Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Jaffer Sathick Mohideen Abdul Kather (jafferSathick)
TCS
Engineering Lead
TCS
GB
jafferSathick Member since 2010 23 posts
TCS
Posted: Oct 18, 2016
Last activity: May 7, 2017
Posted: 18 Oct 2016 5:46 EDT
Last activity: 7 May 2017 21:45 EDT
Closed
Solved

Java Run time error while accessing : https://< HostName >/prweb/PRRestService

While accessing, following URL, Pega throws run time exception error as shown in the attachment.

https://<HostName>/prweb/PRRestService

My Security testing team says this is a vulnerability as exceptions are not handled properly and recommends - 'Use generic error pages and error handling logic to inform end users of potential problems. Do not provide system information or other data that could be used by an attacker when orchestrating an attack.'

For example, If I access the following URL, I get a proper error message : 'Request URI must contain service package, class, and method keys'

https://<HostName>/prweb/PRRestService/monitor

Can you check this out ?

***Updated by Moderator: Marissa to add tag SR Created, added SR details***

To see attachments, please log in.
Java and Activities
Security
Support Case Created

Posted: 8 years ago
Posted: 18 Oct 2016 6:46 EDT
Rajeev Ranjan (ranjr)
PEGA
Principal Technical Solutions Engineer
PEG
PL

This is expected behaviour.

This is coming from the  web.xml. For tomcat, you could find in : webapps\prweb\WEB-INF

 

If you see the web.xml, following entries will be there :

    <servlet-mapping>
        <servlet-name>WebRestService</servlet-name>
        <url-pattern>/PRRestService/*</url-pattern>
    </servlet-mapping>

This is allowing the URL to go with any parameter and as the service is not getting the exact parameter, it is throwing the error.

One way is to restrict from web.xml (though i feel this is not nice way to do).

You could also raise a SR for this to be worked by GCS engineer.

 

To see attachments, please log in.
Posted: 8 years ago
Posted: 24 Oct 2016 6:10 EDT
Vidyaranjan AV (Vidyaranjan) Senior Online Community Moderator
Pegasystems Inc.
IN

Hi Jaffer,

It would be helpful if you let us know the details of the SR number you raised with GCS, so that we can tag it along with the query for better tracking.

Vidyaranjan A V | Community Moderator | PegaProductSupport | Pegasystems Inc.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice