[
https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16405577#comment-16405577
]
Andreas Veithen commented on AXIS2-5911:
----------------------------------------
I don't understand. The error messages basically mean that the Veracode thing
is too dumb to properly compile the JSPs. The only known problem is the weak
default password. If we remove that and instead use container security, then it
would be disabled by default.
> Update Axis2 FAQ to include production hardening tips
> -----------------------------------------------------
>
> Key: AXIS2-5911
> URL: https://issues.apache.org/jira/browse/AXIS2-5911
> Project: Axis2
> Issue Type: Improvement
> Reporter: robert lazarski
> Assignee: robert lazarski
> Priority: Major
>
> The axis2 mailing list is getting frequent requests for help, regarding 3rd
> party penetration testing tool reports. Jira issues are also getting created.
> A lot of these reports are in the localhost:8080/axis2/axis2-web section for
> example. Its not mandatory to run HappyAxis.jsp in prod - arguably we should
> discourage it. There are "enumeration" vulnerabilities and info leakage
> issues in the axis2-web section.This whole axis2-web section is disabled in
> my day job, for example.
> axis2-admin is another area that will perhaps be off by default in an
> upcoming release, since the current implementation uses weak passwords, see
> AXIS2-5910.
> 500 Exceptions are easy to create with Axis2 since it requires specific
> parameters in the payload, therefore penetration testing will likely cause
> them. Customized error handling via the web.xml could be recommended in the
> FAQ.
> Any thoughts, comments or concerns [~veithen] ?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
