cancel
Showing results for 
Search instead for 
Did you mean: 

Magento Path Disclosure Vulnerability

Magento Path Disclosure Vulnerability

Hi Magento team,

When we use an automated security scanning tool to scan the website,
following URLs generated by the tool have the "Path Disclosure" Vulnerability.

https://.../index.php/catalog/product_compare/index/history/
https://.../index.php/catalog/seo_sitemap/category/BUGS
https://.../index.php/catalog/seo_sitemap/category/lib/
https://.../index.php/customer/account/dashboard/WSDL/


The scanning tool provided following information regarding the "Path Disclosure" Vulnerability.

Threat:
A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact:
The contents of this file or directory may disclose sensitive information.
Solution:
Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Magento returned "HTTP/1.1 200 OK" to above URLs, which is an issue.

Please advise how to fix this, thank you.

1 REPLY

Re: Magento Path Disclosure Vulnerability

These URLs don't appear to be files on the server so I think this is a false positive. 


If you do find a security flaw, I recommend that you post to security@magento.com rather than on a public forum. Many thanks. 

----
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!