axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert lazarski (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AXIS2-5910) axis2.xml uses weak password , automated penetration tools are complaining
Date Wed, 14 Mar 2018 23:10:00 GMT

     [ https://issues.apache.org/jira/browse/AXIS2-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

robert lazarski updated AXIS2-5910:
-----------------------------------
    Description: 
There are 48 axis2.xml files in source control it seems, and they all have the same weak password
in each file. 

As penetration tools become ubiquitous, they are all finding the same problem with these
weak credentials in axis2.xml . 

We should consider the Tomcat approach and just comment out the entire username / password
section, as that doesn't seem to break anything. It doesn't, for example, break the happyaxis.jsp
.

Next step I suppose would be replacing all 48 files with comments, and running the unit tests?

[https://svn.apache.org/viewvc/tomcat/trunk/conf/tomcat-users.xml?view=co&revision=1745083&content-type=text%2Fplain]

 

 

  was:
The are 48 axis2.xml files in source control it seems, and they all have the same weak password
in each file. 

As penetration tools become ubiquitous, they are all finding the same problem with these
weak credentials in axis2.xml . 

We should consider the Tomcat approach and just comment out the entire username / password
section, as that doesn't seem to break anything. It doesn't, for example, break the happyaxis.jsp
.

Next step I suppose would be replacing all 48 files with comments, and running the unit tests?

[https://svn.apache.org/viewvc/tomcat/trunk/conf/tomcat-users.xml?view=co&revision=1745083&content-type=text%2Fplain]

 

 


> axis2.xml uses weak password , automated penetration tools are complaining
> --------------------------------------------------------------------------
>
>                 Key: AXIS2-5910
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5910
>             Project: Axis2
>          Issue Type: Bug
>            Reporter: robert lazarski
>            Priority: Major
>
> There are 48 axis2.xml files in source control it seems, and they all have the same weak
password in each file. 
> As penetration tools become ubiquitous, they are all finding the same problem with these
weak credentials in axis2.xml . 
> We should consider the Tomcat approach and just comment out the entire username / password
section, as that doesn't seem to break anything. It doesn't, for example, break the happyaxis.jsp
.
> Next step I suppose would be replacing all 48 files with comments, and running the unit
tests?
> [https://svn.apache.org/viewvc/tomcat/trunk/conf/tomcat-users.xml?view=co&revision=1745083&content-type=text%2Fplain]
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message