Hi Robert, But the question is, suppose some one did the log chaking with trace/debug level intentionally.then do we have any preventive measure to avoid it?
Or it is the issue with Third party Axis2 jar which is displaying the password ? Best regards, Pavan landge On Wed 19 Jun, 2019, 8:49 PM robertlazarski ., <robertlazar...@gmail.com> wrote: > > > On Tue, Jun 18, 2019 at 9:28 PM pavan landge <pavanlandge...@gmail.com> > wrote: > >> >> >> ---------- Forwarded message --------- >> From: pavan landge <pavanlandge...@gmail.com> >> Date: Thu 13 Jun, 2019, 3:30 PM >> Subject: Axis2: Security Bug Severity 1 >> To: <java-user-subscr...@axis.apache.org> >> Cc: pavan landge <pavanlandge...@gmail.com> >> >> >> Hi Team, >> >> I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am >> enabling the logs to check the parameters passed with soap envelope is >> correct or not. >> I can see in the soap envelop the* PASSWORD *is getting displayed. >> >> > From an Axis2 security perspective, the WEB-INF/classes/log4j.properties > that is shipped defaults to INFO level, you won't see this unless you > purposely change the level and also are not encrypting your own sensitive > user data. > > We suggest not doing that. We can't prevent bad practices though should > you chose to do so. > > If you really need to send the passwords etc unencrypted, you can always > use RAMPART to encrypt the payload body and use a digital signature to > verify the integrity. > > Regards, > Robert >
