Message Boards
WebInspect : Web Server Misconfiguration: Unprotected Directory
WebInspect : Web Server Misconfiguration: Unprotected Directory
Expert Posts: 253 Join Date: 1/25/16 Recent PostsHello,we ran our liferay application through fortify webinpsect and we are getting a security issue such as Web Server Misconfiguration: Unprotected Directory. on the followiing payload attack url https://xxx.xx.xx..com:443/en/ , https://xxx.xx.xx..com:443/group/ https://<hostname>.com:443/tags/ https://xxx.xx.xx..com:443/home/, https://xxx.xx.xx..com:443/user. WebInspect is recommending to have restrict access on the following page URLs:<hostname>/web or <hostname>/home or <hostname>/tag or <hostname>/group. When a request is made to his page it returns a 200. When we type page url with those resources it returns to the main page. Is there a way to return a 401 unauthorized access when the user who is not logged in try to access <hostname>/web or <hostname>/group or <hostname>/tag etc,,?
RE: WebInspect : Web Server Misconfiguration: Unprotected Directory
Liferay Master Posts: 591 Join Date: 8/8/14 Recent PostsHi,
You may need create a portal filter /servlet filter and add your custom validation in that. You can refer below
https://help.liferay.com/hc/en-us/articles/360020486752-Servlet-Filters
Also you can handle it at webserver level Refer
RE: WebInspect : Web Server Misconfiguration: Unprotected Directory
Liferay Master Posts: 676 Join Date: 2/13/09 Recent PostsHi,
WebInspector is a tool which returns all different kind of findings that must be manually verified. This case is a security false-positive reported by WebInspector, there are no directories that would be unprotected. There is no security risk to be mitigated.
Any solution to return HTTP 401 instead of HTTP 200 is only extra work with no effect.
HTH.
-- tom +