On Sun, Dec 18, 2011 at 11:10 AM, Hiranya Jayathilaka <[email protected]>wrote:
> Shouldn't ExternalTryitService be accessible for unauthenticated users? In that case, it should not be marked as an AdminService. AdminServices are given special treatment in our code. In any case, we should never expose System services which can be invoked without authentication since this leaves the system open to DoS attacks. > Thanks, > Hiranya > > On Sun, Dec 18, 2011 at 10:24 AM, Afkham Azeez <[email protected]> wrote: > >> I just integrated the SecurityVerification test to WSO2 AS, and the test >> revealed the following vulnerability. AS team please fix ASAP. >> >> Failed tests: >> >> verifyAdminServiceSecurity(org.wso2.appserver.integration.tests.SecurityVerificationTestCase): >> Admin service ExternalTryitService has been exposed on https,http, >> >> >> -- >> *Afkham Azeez* >> Director of Architecture; WSO2, Inc.; http://wso2.com >> Member; Apache Software Foundation; http://www.apache.org/ >> * <http://www.apache.org/>** >> email: **[email protected]* <[email protected]>* cell: +94 77 3320919 >> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >> * >> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >> * >> * >> *Lean . Enterprise . Middleware* >> >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > > -- > Hiranya Jayathilaka > Associate Technical Lead; > WSO2 Inc.; http://wso2.org > E-mail: [email protected]; Mobile: +94 77 633 3491 > Blog: http://techfeast-hiranya.blogspot.com > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > -- *Afkham Azeez* Director of Architecture; WSO2, Inc.; http://wso2.com Member; Apache Software Foundation; http://www.apache.org/ * <http://www.apache.org/>** email: **[email protected]* <[email protected]>* cell: +94 77 3320919 blog: **http://blog.afkham.org* <http://blog.afkham.org>* twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> * linked-in: **http://lk.linkedin.com/in/afkhamazeez* * * *Lean . Enterprise . Middleware*
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
