Facing problem in the postman in tesing APi's

alialfia25 · October 30, 2023, 6:51am

at com.wm.app.b2b.server.HTTPInvokeHandler._process(HTTPInvokeHandler.java:140)
at com.wm.app.b2b.server.HTTPInvokeHandler._process(HTTPInvokeHandler.java:94)
at com.wm.app.b2b.server.InvokeHandler.process(InvokeHandler.java:99)
at com.wm.app.b2b.server.HTTPDispatch.handleRequest(HTTPDispatch.java:203)
at com.wm.app.b2b.server.Dispatch.run(Dispatch.java:391)
at com.wm.util.pool.PooledThread.run(PooledThread.java:127)
at java.base/java.lang.Thread.run(Thread.java:829)

I’m facing this error when i’m testing my Api in the postman. I’m giving the right flow service path and also giving the right credentials in the postman.

Holger_von_Thomsen · October 30, 2023, 10:30am

Hi Alfia,

please provide more details about your issue as the stacktrace above does not contain the real error message thrown by the server here.

Regards,
Holger

Nugroho_Hermanto1 · December 5, 2023, 2:46pm

Hi, I also got same pattern when I scanned webMethods Integration Server v10.15 with Acunetix. And it mention as Medium Severity (the real domain I changed with ‘domain’)

Error message on page

bug_report

URL:
https://domain:2071/invoke/wm.server/

Attack Details

Pattern found:

at com.wm.app.b2b.server.HTTPInvokeHandler._process(HTTPInvokeHandler.java:140) at com.wm.app.b2b.server.HTTPInvokeHandler._process(HTTPInvokeHandler.java:94) at com.wm.app.b2b.server.InvokeHandler.process(InvokeHandler.java:99) at com.wm.app.b2b.server.HTTPDispatch.handleRequest(HTTPDispatch.java:203) at com.wm.app.b2b.server.Dispatch.run(Dispatch.java:391) at com.wm.util.pool.PooledThread.run(PooledThread.java:127)

Vulnerability Description

This alert requires manual confirmation

Application error or warning messages may expose sensitive information about an application’s internal workings to an attacker.

Acunetix found an error or warning message that may disclose sensitive information. The message may also contain the location of the file that produced an unhandled exception. Consult the ‘Attack details’ section for more information about the affected page.

Discovered by Error message on page

The impact of this vulnerability

Error messages may disclose sensitive information which can be used to escalate attacks.

How to fix this vulnerability

Verify that this page is disclosing error or warning messages and properly configure the application to log errors to a file instead of displaying the error to the user.

Classification

CWE
CWE-200
CVSS
Base Score: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: None
Availability: None

please, any one have information about this or how to resolve this?
thanks in advance

Nagendra_Prasad · December 5, 2023, 3:43pm

For security issues , I would suggest you to raise a support ticket in Software AG.

-NP

Nugroho_Hermanto1 · December 5, 2023, 4:02pm

thanks Prasad for your response
unfortunately I no longer have access to empower to raise tickets, I only use the trial version of IS wM 10.15 for PoC to my clients next week.

Nugroho_Hermanto1 · December 6, 2023, 2:53pm

Hi Everyone…
I had this issue resolved with fixes core 8 for IS v10.15, and change value of watt.server.http.returnException from true (default value) to message.
I re-scan again using Acunetix and bug not longer reported.

Thanks