Apache Axis2 information disclosure
Description
Apache Axis2 installations expose a diagnostic JSP page at axis2-web/HappyAxis.jsp that reveals detailed system configuration information including installed libraries, Java runtime details, classpath entries, and environment variables. This page is intended for development and troubleshooting but is often left accessible in production deployments, allowing unauthorized users to gather reconnaissance data about the server environment.
Remediation
Restrict access to the /axis2-web/ directory to prevent unauthorized information disclosure. This can be accomplished through web server configuration:
For Apache HTTP Server, add the following to your configuration or .htaccess file:
<Location /axis2-web/>
Require ip 127.0.0.1
Require ip ::1
# Add trusted IP addresses as needed
</Location>For Nginx, add to your server block:location /axis2-web/ {
allow 127.0.0.1;
deny all;
}For Tomcat, configure a security constraint in web.xml:<security-constraint>
<web-resource-collection>
<web-resource-name>Axis2 Admin</web-resource-name>
<url-pattern>/axis2-web/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>Alternatively, remove the HappyAxis.jsp file entirely from production deployments if diagnostic functionality is not required.