Apache Axis2 web services enumeration
Description
Apache Axis2 is a web services framework installed on this application server. The server exposes an administrative endpoint at /services/listServices that publicly lists all deployed web services without requiring authentication. This information disclosure allows unauthorized users to enumerate the server's web service inventory, including service names, operations, and potentially sensitive implementation details.
Remediation
Restrict access to the Apache Axis2 administrative interface to authorized users only. Implement one or more of the following controls:
1. Configure authentication - Enable authentication for the Axis2 admin console by editing axis2.xml and configuring the security settings.
2. Restrict access by IP address - Configure your web server or application server to limit access to /services/listServices and other administrative URLs to trusted IP addresses only. For Apache HTTP Server, add to your configuration:
<Location /services/listServices>
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
</Location>3. Disable the service listing feature - If service enumeration is not required, disable it entirely by removing or commenting out the ListingAgent in your Axis2 configuration.
4. Use network segmentation - Place administrative interfaces on a separate network segment accessible only to authorized administrators.