[
https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
robert lazarski reassigned AXIS2-5911:
--------------------------------------
Assignee: robert lazarski
> Update Axis2 FAQ to include production hardening tips
> -----------------------------------------------------
>
> Key: AXIS2-5911
> URL: https://issues.apache.org/jira/browse/AXIS2-5911
> Project: Axis2
> Issue Type: Bug
> Reporter: robert lazarski
> Assignee: robert lazarski
> Priority: Major
>
> The axis2 mailing list is getting frequent requests for help, regarding 3rd
> party penetration testing tool reports. Jira issues are also getting created.
> A lot of these reports are in the localhost:8080/axis2/axis2-web section for
> example. Its not mandatory to run HappyAxis.jsp in prod - arguably we should
> discourage it. There are "enumeration" vulnerabilities and info leakage
> issues in the axis2-web section.This whole axis2-web section is disabled in
> my day job, for example.
> axis2-admin is another area that will perhaps be off by default in an
> upcoming release, since the current implementation uses weak passwords, see
> AXIS2-5910.
> 500 Exceptions are easy to create with Axis2 since it requires specific
> parameters in the payload, therefore penetration testing will likely cause
> them. Customized error handling via the web.xml could be recommended in the
> FAQ.
> Any thoughts, comments or concerns [~veithen] ?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
