[
https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16405554#comment-16405554
]
robert lazarski commented on AXIS2-5911:
----------------------------------------
I just ran the Veracode checker on the admin page and it has other other
problems. See below.
I don't use the admin page myself. Investigating the use of, for example,
Wildfly and Tomcat security, to protect it seems like more work than its worth
to be honest.
I am +1 for disabling the admin page and HappyAxis.jsp by default in svn. And
providing a big warning at the top of these pages, along with a new FAQ entry.
That way if someone finds the security problems and leaves the features enabled
anyways, they have been warned and its at their own risk. FWIW, the Apache
Security team has accepted our previous action in that regard for the SOAP
Monitor last year.
[~veithen] what do you think about disabling this stuff by default? See below
for the Veracode problems.
Unable to compile /WEB-INF/views/admin/editServiceParameters.jsp: Error on line
25 of /WEB-INF/views/admin/editServiceParameters.jsp: No tag "status" defined
in tag library imported with prefix "t"
Unable to compile /WEB-INF/views/admin/engageGlobally.jsp: Error on line 64 of
/WEB-INF/views/admin/engageGlobally.jsp: No tag "status" defined in tag library
imported with prefix "t"
Unable to compile /WEB-INF/views/admin/engageToOperation.jsp: Error on line 117
of /WEB-INF/views/admin/engageToOperation.jsp: No tag "status" defined in tag
library imported with prefix "t"
Unable to compile /WEB-INF/views/admin/engageToService.jsp: Error on line 132
of /WEB-INF/views/admin/engageToService.jsp: No tag "status" defined in tag
library imported with prefix "t"
Unable to compile /WEB-INF/views/admin/engageToServiceGroup.jsp: Error on line
124 of /WEB-INF/views/admin/engageToServiceGroup.jsp: No tag "status" defined
in tag library imported with prefix "t"
Unable to compile /WEB-INF/views/admin/listServices.jsp: Error on line 38 of
/WEB-INF/views/admin/listServices.jsp: No tag "status" defined in tag library
imported with prefix "t"
Unable to compile /WEB-INF/views/admin/upload.jsp: Error on line 45 of
/WEB-INF/views/admin/upload.jsp: No tag "status" defined in tag library
imported with prefix "t"
No supporting files or PDB files
> Update Axis2 FAQ to include production hardening tips
> -----------------------------------------------------
>
> Key: AXIS2-5911
> URL: https://issues.apache.org/jira/browse/AXIS2-5911
> Project: Axis2
> Issue Type: Improvement
> Reporter: robert lazarski
> Assignee: robert lazarski
> Priority: Major
>
> The axis2 mailing list is getting frequent requests for help, regarding 3rd
> party penetration testing tool reports. Jira issues are also getting created.
> A lot of these reports are in the localhost:8080/axis2/axis2-web section for
> example. Its not mandatory to run HappyAxis.jsp in prod - arguably we should
> discourage it. There are "enumeration" vulnerabilities and info leakage
> issues in the axis2-web section.This whole axis2-web section is disabled in
> my day job, for example.
> axis2-admin is another area that will perhaps be off by default in an
> upcoming release, since the current implementation uses weak passwords, see
> AXIS2-5910.
> 500 Exceptions are easy to create with Axis2 since it requires specific
> parameters in the payload, therefore penetration testing will likely cause
> them. Customized error handling via the web.xml could be recommended in the
> FAQ.
> Any thoughts, comments or concerns [~veithen] ?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
