Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Magento Path Disclosure Vulnerability

‎08-09-2017 08:42 PM
‎08-09-2017 08:42 PM

Magento Path Disclosure Vulnerability

Hi Magento team,

When we use an automated security scanning tool to scan the website,
following URLs generated by the tool have the "Path Disclosure" Vulnerability.

https://.../index.php/catalog/product_compare/index/history/
https://.../index.php/catalog/seo_sitemap/category/BUGS
https://.../index.php/catalog/seo_sitemap/category/lib/
https://.../index.php/customer/account/dashboard/WSDL/


The scanning tool provided following information regarding the "Path Disclosure" Vulnerability.

Threat:
A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact:
The contents of this file or directory may disclose sensitive information.
Solution:
Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Magento returned "HTTP/1.1 200 OK" to above URLs, which is an issue.

Please advise how to fix this, thank you.

Labels:
0 Kudos
Reply
1 REPLY 1
‎08-30-2017 12:15 PM
‎08-30-2017 12:15 PM

Re: Magento Path Disclosure Vulnerability

These URLs don't appear to be files on the server so I think this is a false positive. 


If you do find a security flaw, I recommend that you post to security@magento.com rather than on a public forum. Many thanks. 

----
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!
0 Kudos
Reply