'[jira] [Updated] (AXIS2-5911) Update Axis2 FAQ to include production hardening tips'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kandula-dev
Subject:    [jira] [Updated] (AXIS2-5911) Update Axis2 FAQ to include production hardening tips
From:       "robert lazarski (JIRA)" <jira () apache ! org>
Date:       2018-03-15 14:34:00
Message-ID: JIRA.13145380.1521121958000.27843.1521124440124 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/AXIS2-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

robert lazarski updated AXIS2-5911:
-----------------------------------
    Issue Type: Improvement  (was: Bug)

> Update Axis2 FAQ to include production hardening tips
> -----------------------------------------------------
> 
> Key: AXIS2-5911
> URL: https://issues.apache.org/jira/browse/AXIS2-5911
> Project: Axis2
> Issue Type: Improvement
> Reporter: robert lazarski
> Assignee: robert lazarski
> Priority: Major
> 
> The axis2 mailing list is getting frequent requests for help, regarding 3rd party \
> penetration testing tool reports. Jira issues are also getting created.  A lot of \
> these reports are in the localhost:8080/axis2/axis2-web section for example. Its \
> not mandatory to run HappyAxis.jsp in prod - arguably we should discourage it. \
> There are "enumeration" vulnerabilities and info leakage issues in the axis2-web \
> section.This whole axis2-web section is disabled in my day job, for example.  \
> axis2-admin is another area that will perhaps be off by default in an upcoming \
> release, since the current implementation uses weak passwords, see AXIS2-5910.   \
> 500 Exceptions are easy to create with Axis2 since it requires specific parameters \
> in the payload, therefore penetration testing will likely cause them. Customized \
> error handling via the web.xml could be recommended in the FAQ. Any thoughts, \
> comments or concerns [~veithen] ?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic