WebInspect : Web Server Misconfiguration: Unprotected DirectoryWebInspect : Web Server Misconfiguration: Unprotected Directoryhttps://liferay.dev/en/c/message_boards/find_thread?p_l_id=119785333&threadId=1209897262024-03-28T10:15:54Z2024-03-28T10:15:54ZRE: WebInspect : Web Server Misconfiguration: Unprotected DirectoryTomáš Polešovskýhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=1209926942021-07-28T18:14:56Z2021-07-28T18:14:55Z<p>Hi,</p>
<p>WebInspector is a tool which returns all different kind of findings
that must be manually verified. This case is a security false-positive
reported by WebInspector, there are no directories that would be
unprotected. There is no security risk to be mitigated.</p>
<p>Any solution to return HTTP 401 instead of HTTP 200 is only extra
work with no effect. </p>
<p>HTH.</p>
<p>-- tom +</p>Tomáš Polešovský2021-07-28T18:14:55ZRE: WebInspect : Web Server Misconfiguration: Unprotected DirectoryMohammed Yasinhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=1209911032021-07-28T08:52:45Z2021-07-28T07:31:08Z<p>Hi,</p>
<p>You may need create a portal filter /servlet filter and add your
custom validation in that. You can refer below </p>
<p> https://help.liferay.com/hc/en-us/articles/360020486752-Servlet-Filters</p>
<p>Also you can handle it at webserver level <a href="https://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/">Refer</a></p>Mohammed Yasin2021-07-28T07:31:08ZWebInspect : Web Server Misconfiguration: Unprotected DirectoryKevin Matthewshttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=1209897252021-08-17T15:26:09Z2021-07-27T17:37:06Z<p>Hello,we ran our liferay application through fortify webinpsect and
we are getting a security issue such as <strong>Web Server
Misconfiguration: Unprotected Directory.</strong> on the followiing
payload attack url https://xxx.xx.xx..com:443/en/
, https://xxx.xx.xx..com:443/group/ https://<hostname>.com:443/tags/ https://xxx.xx.xx..com:443/home/, https://xxx.xx.xx..com:443/user.
WebInspect is recommending to have restrict access on the following
page URLs:<hostname>/web or <hostname>/home or
<hostname>/tag or <hostname>/group. When a request is made
to his page it returns a 200. When we type page url with those
resources it returns to the main page. Is there a way to return a 401
unauthorized access when the user who is not logged in try to access
<hostname