robert lazarski created AXIS2-5911:
--------------------------------------
Summary: Update Axis2 FAQ to include production hardening tips
Key: AXIS2-5911
URL: https://issues.apache.org/jira/browse/AXIS2-5911
Project: Axis2
Issue Type: Bug
Reporter: robert lazarski
The axis2 mailing list is getting frequent requests for help, regarding 3rd
party penetration testing tool reports. Jira issues are also getting created.
A lot of these reports are in the localhost:8080/axis2/axis2-web section for
example. Its not mandatory to run HappyAxis.jsp in prod - arguably we should
discourage it. There are "enumeration" vulnerabilities and info leakage issues
in the axis2-web section.This whole axis2-web section is disabled in my day
job, for example.
axis2-admin is another area that will perhaps be off by default in an upcoming
release, since the current implementation uses weak passwords, see AXIS2-5910.
500 Exceptions are easy to create with Axis2 since it requires specific
parameters in the payload, therefore penetration testing will likely cause
them. Customized error handling via the web.xml could be recommended in the FAQ.
Any thoughts, comments or concerns [~veithen] ?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
