Axis system configuration listing enabled in WEB-INF/server-config.wsdd

Severity:

Medium

Summary

Invicti detected that the web application has enabled listing of the Web Service Deployment Descriptor (WSDD). This feature exposes the current system configuration which contains sensitive information like the adminservice password.

It's recommended to modify the configuration file WEB-INF/server-config.wsdd to disable configuration listing.

Impact

When Axis system configuration listing is enabled, sensitive information like the adminservice password is leaked to attackers.

Remediation

Required Skills for Successful Exploitation

Actions To Take

In the example below, the web application disable listing of the Web Service Deployment Descriptor (WSDD):

Classifications

CWE-16

OWASP 2013-A5

OWASP 2017-A6

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Related Vulnerabilities

Version Disclosure (RubyGems)

Version Disclosure (RiotJs)

Underscorejs Identified

Version Disclosure (Mongrel Web Server)

WordPress Theme Twenty Twenty Out Of Date

Axis system configuration listing enabled in WEB-INF/server-config.wsdd

Vulnerability Index

Select Category

Select Vulnerability

Featured resources

Build your resistance to threats. And save hundreds of hours each month.