---------- Forwarded message --------- From: pavan landge <pavanlandge...@gmail.com> Date: Thu 13 Jun, 2019, 3:30 PM Subject: Axis2: Security Bug Severity 1 To: <java-user-subscr...@axis.apache.org> Cc: pavan landge <pavanlandge...@gmail.com>
Hi Team, I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am enabling the logs to check the parameters passed with soap envelope is correct or not. I can see in the soap envelop the* PASSWORD *is getting displayed. <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd "> <wsse:UsernameToken> <wsse:Username>local:test123</wsse:Username> <wsse:Password>.test123</wsse:Password> </wsse:UsernameToken> </wsse:Security> <ns1:Headers soapenv:mustUnderstand="0" xmlns:ns1=“urn:test123systems-com:Interconnect.Headers"> <ns1:Test123-Client-ID>234234bbdvb-dfg76-4t3f-1aer-01ebd7ferger</ns1:Test123-Client-ID> </ns1:Headers> </soapenv:Header> <soapenv:Body> Using below entry in log4j to enable the axis2 logs: log4j.logger.org.apache.axis.client.Call=trace log4j.logger.org.apache.axis.client.AxisClient=trace log4j.logger.org.apache.axis.transport.http.HTTPSender=trace log4j.logger.org.apache.axis.MessageContext=trace Since it is displaying the Password as un-masked, is it valid as per the security law concern. Using below configuration machine: JDK 1.8 Mysql 5.7 server. Windows 2016 server. Best Regards, Pavan Landge pavanlandge...@gmail.com
