IBM Support

webMethods Knowlegebase : How to change the default error message for security resons? (1753964)

Troubleshooting


Problem

When you run the following URL on an IS https://<host>/invoke/abc/abc it exposes the CLASS name: com.wm.app.b2b.server. This reveals that the server is actually a webMethods IS giving an attacker the opportunity to target particular areas rather than random hits. Please tell us how to restrict the error information.

The question is: Is there any possibility to hide, restrict or change this default page?

(I haven't found anything reported or documented about)

Here is the vulnerability definition in detail:

OWASP TOP10 2013 A6

https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

WASC-13

http://projects.webappsec.org/w/page/13246936/Information%20Leakage

Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. Sensitive data may be used by an attacker to exploit the target web application, its hosting network, or its users. Therefore, leakage of sensitive data should be limited or prevented whenever possible. Information Leakage, in its most common form, is the result of one or more of the following conditions: A failure to scrub out HTML/Script comments containing sensitive information, improper application or server configurations, or differences in page responses for valid versus invalid data.

CWE-200

http://cwe.mitre.org/data/definitions/200.html

Information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVYEV","label":"IBM webMethods Integration"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"8.2.2"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFIWYE","label":"IBM webMethods B2B"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"8.2.2"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQG2X","label":"IBM webMethods Managed File Transfer"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"8.2.2"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
20 March 2025

UID

ibm17221152

Page Feedback