Hi Pavan, On Wed, Jun 19, 2019 at 6:36 PM Alex Borschenko <aaborsche...@gmail.com> wrote:
> On 6/19/2019 10:27 AM, pavan landge wrote: > > > > ---------- Forwarded message --------- > From: pavan landge <pavanlandge...@gmail.com> > Date: Thu 13 Jun, 2019, 3:30 PM > Subject: Axis2: Security Bug Severity 1 > To: <java-user-subscr...@axis.apache.org> > Cc: pavan landge <pavanlandge...@gmail.com> > > > Hi Team, > > I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am > enabling the logs to check the parameters passed with soap envelope is > correct or not. > I can see in the soap envelop the* PASSWORD *is getting displayed. > > <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <soapenv:Header> > <wsse:Security soapenv:mustUnderstand="1" > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <wsse:UsernameToken> > <wsse:Username>local:test123</wsse:Username> > <wsse:Password>.test123</wsse:Password> > </wsse:UsernameToken> > </wsse:Security> > <ns1:Headers soapenv:mustUnderstand="0" > xmlns:ns1=“urn:test123systems-com:Interconnect.Headers"> > > <ns1:Test123-Client-ID>234234bbdvb-dfg76-4t3f-1aer-01ebd7ferger</ns1:Test123-Client-ID> > </ns1:Headers> > </soapenv:Header> > <soapenv:Body> > > > > Using below entry in log4j to enable the axis2 logs: > > log4j.logger.org.apache.axis.client.Call=trace > log4j.logger.org.apache.axis.client.AxisClient=trace > log4j.logger.org.apache.axis.transport.http.HTTPSender=trace > log4j.logger.org.apache.axis.MessageContext=trace > > Since it is displaying the Password as un-masked, is it valid as per the > security law concern. > > It's not just the password, having usernames in log files is sometimes problematic. Especially, if you consider GDPR[1], you have to remove any data that you can identify an individual upon request. If you have usernames all over your logs adhering to those kinds of enforcement would not be an easy task. Furthermore, when considering the passwords, having passwords printed in logs would lead to many security issues. Hence, in my opinion, this has to be fixed immediately. [1] https://eugdpr.org/ Thanks, Jayanga > > Using below configuration machine: > > JDK 1.8 > Mysql 5.7 server. > Windows 2016 server. > > > Best Regards, > Pavan Landge > pavanlandge...@gmail.com > > unmasked passwords in logs is very bad practice unless it is you test/dev > env :) > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > Без > вирусов. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > <#m_-8738122600816858431_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >
