tag:blogger.com,1999:blog-5066603456638955842.post7543838760117889964..comments2008-09-22T15:39:16.527+01:00Mark O'Neillnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-5066603456638955842.post-69758816736542329422008-09-22T15:39:00.000+01:002008-09-22T15:39:00.000+01:00Hi Steve,<BR/><BR/>Thanks for pointing that out. Back when the vulnerability assessment was done (in early 2006), the information was being sent back. That may have been before the time of "development.system", or (more likely) perhaps they had just unthinkingly left it on because the system under scrutiny was an internal system. <BR/><BR/>Having "no stack trace returned" as the default is great, because in those stack traces, we could see information like:<BR/><BR/>Org.hibernate.exception.GenericJDBCException: could not insert: com.companyx.model2.x.integration,dto.LifeAssured]<BR/><BR/>and, when we ran a SQL Injection attack, we saw:<BR/><BR/>Java.sql.SQLException: setString can only process strings of less than 32766 characters <BR/><BR/>I find these recommendations on the Apache site useful, and I often point people to them:<BR/><BR/>http://ws.apache.org/axis/java/security.html#StopAxisServletListingServices<BR/><BR/>But, I would argue that the "return WSDL" functionality should be under the "development.system" flag also (i.e. setting "axis.enableListQuery" to false). The recommendations above show how to turn off the service listing and "?WSDL" WSDL-download functionality, but it's not done by default. See also Anil John's post on this yesterday: <BR/>http://www.aniltj.com/blog/2008/09/21/InformationDisclosureThreatsAndWebServices.aspx <BR/><BR/>cheers,<BR/>MarkMark O'Neillhttp://www.blogger.com/profile/03202416986720435011noreply@blogger.comtag:blogger.com,1999:blog-5066603456638955842.post-7042368093468925542008-09-22T09:28:00.000+01:002008-09-22T09:28:00.000+01:00Apache Axis strips out the stack trace before sending a fault back over the wire, unless you explicitly set the "development.system" flag. By default: no stack trace. What it does do (and it is a feature which I must bear the blame for) is send the hostname of the failing system over. Because it is a lot easier to track down failures in a cluster if you can see which machine is failing. For better security we'd really need to have a remap table to assign false names to the hostsSteveLhttp://www.blogger.com/profile/07654931341335136008noreply@blogger.com