ABSTRACT

Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.

EXPLANATION

An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.



When set to true, axis.enableListQuery enables listing of the Web Service Deployment Descriptor (WSDD). This feature exposes the current system configuration which contains sensitive information like the adminservice password.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3620 CAT II

[5] Axis Reference Guide Apache Software Foundation

[6] Standards Mapping - FIPS200 - (FISMA) CM

[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 497

[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.6

[12] Web Service Security Apache Software Foundation