Axis system configuration listing enabled in WEB-INF/server-config.wsdd

Severity: Medium

Summary#

Invicti detected that the web application has enabled listing of the Web Service Deployment Descriptor (WSDD). This feature exposes the current system configuration which contains sensitive information like the adminservice password.

It's recommended to modify the configuration file WEB-INF/server-config.wsdd to disable configuration listing.

Impact#

When Axis system configuration listing is enabled, sensitive information like the adminservice password is leaked to attackers.

Actions To Take#

In the example below, the web application disable listing of the Web Service Deployment Descriptor (WSDD):

<globalConfiguration>
 <parameter name="axis.enableListQuery" value="false"/>
</globalConfiguration>

Classifications#

OWASP 2017-A6, OWASP 2013-A5, CWE-16, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Select Category

Critical
High
Medium
Low
Best Practice
Information

Search Vulnerability

Related Vulnerabilities

Axis system configuration listing enabled in WEB-INF/server-config.wsdd

Related Articles

Build your resistance to threats. And save hundreds of hours each month.