axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert lazarski (JIRA)" <>
Subject [jira] [Updated] (AXIS2-5911) Update Axis2 FAQ to include production hardening tips
Date Thu, 15 Mar 2018 14:34:00 GMT


robert lazarski updated AXIS2-5911:
    Issue Type: Improvement  (was: Bug)

> Update Axis2 FAQ to include production hardening tips
> -----------------------------------------------------
>                 Key: AXIS2-5911
>                 URL:
>             Project: Axis2
>          Issue Type: Improvement
>            Reporter: robert lazarski
>            Assignee: robert lazarski
>            Priority: Major
> The axis2 mailing list is getting frequent requests for help, regarding 3rd party penetration
testing tool reports. Jira issues are also getting created. 
> A lot of these reports are in the localhost:8080/axis2/axis2-web section for example.
Its not mandatory to run HappyAxis.jsp in prod - arguably we should discourage it. There are
"enumeration" vulnerabilities and info leakage issues in the axis2-web section.This whole
axis2-web section is disabled in my day job, for example. 
> axis2-admin is another area that will perhaps be off by default in an upcoming release,
since the current implementation uses weak passwords, see AXIS2-5910. 
> 500 Exceptions are easy to create with Axis2 since it requires specific parameters in
the payload, therefore penetration testing will likely cause them. Customized error handling
via the web.xml could be recommended in the FAQ.
> Any thoughts, comments or concerns [~veithen] ?

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message