[jira] [Commented] (AXIS2-5911) Update Axis2 FAQ to include production hardening tips
[ https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16405577#comment-16405577 ] Andreas Veithen commented on AXIS2-5911: I don't understand. The error messages basically mean that the Veracode thing is too dumb to properly compile the JSPs. The only known problem is the weak default password. If we remove that and instead use container security, then it would be disabled by default. > Update Axis2 FAQ to include production hardening tips > - > > Key: AXIS2-5911 > URL: https://issues.apache.org/jira/browse/AXIS2-5911 > Project: Axis2 > Issue Type: Improvement >Reporter: robert lazarski >Assignee: robert lazarski >Priority: Major > > The axis2 mailing list is getting frequent requests for help, regarding 3rd > party penetration testing tool reports. Jira issues are also getting created. > A lot of these reports are in the localhost:8080/axis2/axis2-web section for > example. Its not mandatory to run HappyAxis.jsp in prod - arguably we should > discourage it. There are "enumeration" vulnerabilities and info leakage > issues in the axis2-web section.This whole axis2-web section is disabled in > my day job, for example. > axis2-admin is another area that will perhaps be off by default in an > upcoming release, since the current implementation uses weak passwords, see > AXIS2-5910. > 500 Exceptions are easy to create with Axis2 since it requires specific > parameters in the payload, therefore penetration testing will likely cause > them. Customized error handling via the web.xml could be recommended in the > FAQ. > Any thoughts, comments or concerns [~veithen] ? -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org
[jira] [Commented] (AXIS2-5911) Update Axis2 FAQ to include production hardening tips
[ https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16405554#comment-16405554 ] robert lazarski commented on AXIS2-5911: I just ran the Veracode checker on the admin page and it has other other problems. See below. I don't use the admin page myself. Investigating the use of, for example, Wildfly and Tomcat security, to protect it seems like more work than its worth to be honest. I am +1 for disabling the admin page and HappyAxis.jsp by default in svn. And providing a big warning at the top of these pages, along with a new FAQ entry. That way if someone finds the security problems and leaves the features enabled anyways, they have been warned and its at their own risk. FWIW, the Apache Security team has accepted our previous action in that regard for the SOAP Monitor last year. [~veithen] what do you think about disabling this stuff by default? See below for the Veracode problems. Unable to compile /WEB-INF/views/admin/editServiceParameters.jsp: Error on line 25 of /WEB-INF/views/admin/editServiceParameters.jsp: No tag "status" defined in tag library imported with prefix "t" Unable to compile /WEB-INF/views/admin/engageGlobally.jsp: Error on line 64 of /WEB-INF/views/admin/engageGlobally.jsp: No tag "status" defined in tag library imported with prefix "t" Unable to compile /WEB-INF/views/admin/engageToOperation.jsp: Error on line 117 of /WEB-INF/views/admin/engageToOperation.jsp: No tag "status" defined in tag library imported with prefix "t" Unable to compile /WEB-INF/views/admin/engageToService.jsp: Error on line 132 of /WEB-INF/views/admin/engageToService.jsp: No tag "status" defined in tag library imported with prefix "t" Unable to compile /WEB-INF/views/admin/engageToServiceGroup.jsp: Error on line 124 of /WEB-INF/views/admin/engageToServiceGroup.jsp: No tag "status" defined in tag library imported with prefix "t" Unable to compile /WEB-INF/views/admin/listServices.jsp: Error on line 38 of /WEB-INF/views/admin/listServices.jsp: No tag "status" defined in tag library imported with prefix "t" Unable to compile /WEB-INF/views/admin/upload.jsp: Error on line 45 of /WEB-INF/views/admin/upload.jsp: No tag "status" defined in tag library imported with prefix "t" No supporting files or PDB files > Update Axis2 FAQ to include production hardening tips > - > > Key: AXIS2-5911 > URL: https://issues.apache.org/jira/browse/AXIS2-5911 > Project: Axis2 > Issue Type: Improvement >Reporter: robert lazarski >Assignee: robert lazarski >Priority: Major > > The axis2 mailing list is getting frequent requests for help, regarding 3rd > party penetration testing tool reports. Jira issues are also getting created. > A lot of these reports are in the localhost:8080/axis2/axis2-web section for > example. Its not mandatory to run HappyAxis.jsp in prod - arguably we should > discourage it. There are "enumeration" vulnerabilities and info leakage > issues in the axis2-web section.This whole axis2-web section is disabled in > my day job, for example. > axis2-admin is another area that will perhaps be off by default in an > upcoming release, since the current implementation uses weak passwords, see > AXIS2-5910. > 500 Exceptions are easy to create with Axis2 since it requires specific > parameters in the payload, therefore penetration testing will likely cause > them. Customized error handling via the web.xml could be recommended in the > FAQ. > Any thoughts, comments or concerns [~veithen] ? -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org
[jira] [Commented] (AXIS2-5911) Update Axis2 FAQ to include production hardening tips
[ https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16401148#comment-16401148 ] Andreas Veithen commented on AXIS2-5911: I would actually be tempted to completely remove HappyAxis.jsp. As for the weak password, an option would be to let the admin console use the standard security features provided by the servlet container. > Update Axis2 FAQ to include production hardening tips > - > > Key: AXIS2-5911 > URL: https://issues.apache.org/jira/browse/AXIS2-5911 > Project: Axis2 > Issue Type: Improvement >Reporter: robert lazarski >Assignee: robert lazarski >Priority: Major > > The axis2 mailing list is getting frequent requests for help, regarding 3rd > party penetration testing tool reports. Jira issues are also getting created. > A lot of these reports are in the localhost:8080/axis2/axis2-web section for > example. Its not mandatory to run HappyAxis.jsp in prod - arguably we should > discourage it. There are "enumeration" vulnerabilities and info leakage > issues in the axis2-web section.This whole axis2-web section is disabled in > my day job, for example. > axis2-admin is another area that will perhaps be off by default in an > upcoming release, since the current implementation uses weak passwords, see > AXIS2-5910. > 500 Exceptions are easy to create with Axis2 since it requires specific > parameters in the payload, therefore penetration testing will likely cause > them. Customized error handling via the web.xml could be recommended in the > FAQ. > Any thoughts, comments or concerns [~veithen] ? -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org