1. Home
  2. Development
  3. RE: WebInspect : Web Server Misconfiguration: Unprotected Directory

RE: WebInspect : Web Server Misconfiguration: Unprotected Directory

Jamie Sammons, modified 4 Years ago.
WebInspect : Web Server Misconfiguration: Unprotected Directory
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Hello,we ran our liferay application through fortify webinpsect and we are getting a security issue such as Web Server Misconfiguration: Unprotected Directory. on the followiing payload attack url https://xxx.xx.xx..com:443/en/ , https://xxx.xx.xx..com:443/group/ https://<hostname>.com:443/tags/ https://xxx.xx.xx..com:443/home/, https://xxx.xx.xx..com:443/user. WebInspect is recommending to have restrict access on the following page URLs:<hostname>/web or <hostname>/home or <hostname>/tag or <hostname>/group. When a request is made to his page it returns a 200. When we type page url with those resources it returns to the main page. Is there a way to return a 401 unauthorized access when the user who is not logged in try to access <hostname>/web or <hostname>/group or <hostname>/tag etc,,?

 

 

thumbnail
Mohammed Yasin, modified 4 Years ago.
RE: WebInspect : Web Server Misconfiguration: Unprotected Directory
Liferay Master Posts: 593 Join Date: 8/8/14 Recent Posts

Hi,

You may need create a portal filter /servlet filter and add your custom validation in that. You can refer below 

 https://help.liferay.com/hc/en-us/articles/360020486752-Servlet-Filters

Also you can handle  it at webserver level   Refer

thumbnail
Tomáš Polešovský, modified 4 Years ago.
RE: WebInspect : Web Server Misconfiguration: Unprotected Directory
Liferay Master Posts: 677 Join Date: 2/13/09 Recent Posts

Hi,

WebInspector is a tool which returns all different kind of findings that must be manually verified. This case is a security false-positive reported by WebInspector, there are no directories that would be unprotected. There is no security risk to be mitigated.

Any solution to return HTTP 401 instead of HTTP 200 is only extra work with no effect. 

HTH.

-- tom +