Now I have added a security test that will fail if any admin service has been exposed via non-HTTPS transports.
On Tue, Mar 22, 2011 at 11:49 AM, Dimuthu Leelarathne <[email protected]>wrote: > Hi, > > On Tue, Mar 22, 2011 at 10:34 AM, Afkham Azeez <[email protected]> wrote: > >> Hmm no answer!!! >> >> DimuthuL, you have added LoginStatisticsAdmin on 6/2/2009 928AM with this >> log: >> " Exposing a login stat service. This is a hack, as discussed by the >> team. I tried my best to limit the adverse effects done by this bad hack. >> " >> HTTP has been explicitly enabled for this service. What is this service? >> What is the risk of having this service, what are these adverse effects you >> are talking about and why did you explicitly expose it via HTTP? >> >> > IIRC, I added this for BAM people. It is a read-only service. It doesn't > let anyone write/modify server data. However it exposes login stats. I > should have kept a close eye on it and removed HTTP before release. What > should be the next steps? > > Thanks, > Dimuthu > > >> >> FileDownloadService has been added on 12/18/08 1115PM by Keith with this >> log: >> "Adding a fileDownload Service so that we have a mechanism of accessing >> files via fileDownload when running in a seperate FE BE env" >> HTTP has been explicitly enabled for this service as well. >> >> >> On Mon, Mar 21, 2011 at 12:12 PM, Afkham Azeez <[email protected]> wrote: >> >>> Is there a particular reason why these services are exposed via HTTP & >>> HTTPS? All other admin services are exposed only via HTTPS. >>> >>> -- >>> *Afkham Azeez* >>> Senior Software Architect & Senior Manager; WSO2, Inc.; http://wso2.com >>> , >>> * >>> * >>> *Member; Apache Software Foundation; >>> **http://www.apache.org/*<http://www.apache.org/> >>> * >>> email: **[email protected]* <[email protected]>* cell: +94 77 3320919 >>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>> * >>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>> * >>> * >>> *Lean . Enterprise . Middleware* >>> >>> >> >> >> -- >> *Afkham Azeez* >> Senior Software Architect & Senior Manager; WSO2, Inc.; http://wso2.com, >> * >> * >> *Member; Apache Software Foundation; >> **http://www.apache.org/*<http://www.apache.org/> >> * >> email: **[email protected]* <[email protected]>* cell: +94 77 3320919 >> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >> * >> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >> * >> * >> *Lean . Enterprise . Middleware* >> >> > -- *Afkham Azeez* Senior Software Architect & Senior Manager; WSO2, Inc.; http://wso2.com, * * *Member; Apache Software Foundation; **http://www.apache.org/*<http://www.apache.org/> * email: **[email protected]* <[email protected]>* cell: +94 77 3320919 blog: **http://blog.afkham.org* <http://blog.afkham.org>* twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> * linked-in: **http://lk.linkedin.com/in/afkhamazeez* * * *Lean . Enterprise . Middleware*
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
