Re: Fwd: Axis2: Security Bug Severity 1

Wed, 19 Jun 2019 06:06:59 -0700 

On 6/19/2019 10:27 AM, pavan landge wrote:



---------- Forwarded message ---------

From: pavan landge <pavanlandge...@gmail.com 
<mailto:pavanlandge...@gmail.com>>

Date: Thu 13 Jun, 2019, 3:30 PM
Subject: Axis2: Security Bug Severity 1

To: <java-user-subscr...@axis.apache.org 
<mailto:java-user-subscr...@axis.apache.org>>
Cc: pavan landge <pavanlandge...@gmail.com 
<mailto:pavanlandge...@gmail.com>>



Hi Team,


I am using Axis2 jar for SAOP (Request/Response). In log4j  (Logger) I 
am enabling the logs to check the parameters passed with soap envelope 
is correct or not.

I can see in the soap envelop the*PASSWORD *is getting displayed.

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:UsernameToken>
<wsse:Username>local:test123</wsse:Username>
<wsse:Password>.test123</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<ns1:Headers soapenv:mustUnderstand="0"
xmlns:ns1=“urn:test123systems-com:Interconnect.Headers">
<ns1:Test123-Client-ID>234234bbdvb-dfg76-4t3f-1aer-01ebd7ferger</ns1:Test123-Client-ID>
</ns1:Headers>
</soapenv:Header>
<soapenv:Body>



Using below entry in log4j to enable the axis2 logs:

log4j.logger.org.apache.axis.client.Call=trace
log4j.logger.org.apache.axis.client.AxisClient=trace
log4j.logger.org.apache.axis.transport.http.HTTPSender=trace
log4j.logger.org.apache.axis.MessageContext=trace


Since it is displaying the Password as un-masked, is it valid as per 
the security law concern.


Using below configuration machine:

JDK 1.8
Mysql 5.7 server.
Windows 2016 server.


Best Regards,
Pavan Landge
pavanlandge...@gmail.com <mailto:pavanlandge...@gmail.com>


unmasked passwords in logs is very bad practice unless it is you 
test/dev env :)



---
Это сообщение проверено на вирусы антивирусом Avast.
https://www.avast.com/antivirus






















					Reply via email to