WebInspect : Web Server Misconfiguration: Unprotected Directory

Message Boards

Kevin Matthews, modified 2 Years ago.

WebInspect : Web Server Misconfiguration: Unprotected Directory

Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Hello,we ran our liferay application through fortify webinpsect and we are getting a security issue such as Web Server Misconfiguration: Unprotected Directory. on the followiing payload attack url https://xxx.xx.xx..com:443/en/ , https://xxx.xx.xx..com:443/group/ https://<hostname>.com:443/tags/ https://xxx.xx.xx..com:443/home/, https://xxx.xx.xx..com:443/user. WebInspect is recommending to have restrict access on the following page URLs:<hostname>/web or <hostname>/home or <hostname>/tag or <hostname>/group. When a request is made to his page it returns a 200. When we type page url with those resources it returns to the main page. Is there a way to return a 401 unauthorized access when the user who is not logged in try to access <hostname>/web or <hostname>/group or <hostname>/tag etc,,?

Mohammed Yasin, modified 2 Years ago.

RE: WebInspect : Web Server Misconfiguration: Unprotected Directory

Liferay Master Posts: 591 Join Date: 8/8/14 Recent Posts

Hi,

You may need create a portal filter /servlet filter and add your custom validation in that. You can refer below

https://help.liferay.com/hc/en-us/articles/360020486752-Servlet-Filters

Also you can handle it at webserver level Refer

Tomáš Polešovský, modified 2 Years ago.

RE: WebInspect : Web Server Misconfiguration: Unprotected Directory

Liferay Master Posts: 676 Join Date: 2/13/09 Recent Posts

Hi,

WebInspector is a tool which returns all different kind of findings that must be manually verified. This case is a security false-positive reported by WebInspector, there are no directories that would be unprotected. There is no security risk to be mitigated.

Any solution to return HTTP 401 instead of HTTP 200 is only extra work with no effect.

HTH.

-- tom +