Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Security Scan: web.config File Information Disclosure |
|
| Author |
|
MelB
Joined: 13 Oct 2021
Posts: 3
Location: Ireland
|
 Posted: Wed 13 Oct '21 13:28 Post subject: Security Scan: web.config File Information Disclosure |
 |
|
Hi there
Apache2 version: Apache/2.4.51
Ubuntu: 20.04
PHP: 7.4.24
I'm new to working with Apache and on the servers and am trying to secure a new Apache server. After IT ran a security scan with SecurityMetrics on one of our websites, we are getting a result of 5 with the following vulnerability bringing our score down:
web.config File Information Disclosure
Synopsis: The remote web server hosts an application that is affected by an information disclosure vulnerability.
Resolution: Ensure proper restrictions are in place, or remove the web.config file if the file is not required.
Data Received: SecurityMetrics was able to exploit the issue using the following request : GET /web.config
HTTP/1.1 Host: WEBSITE.co.uk Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,
*/* This produced the following truncated output (limited
to 5 lines) : ------------------------------ snip ------------------------------
<!-- Rewrites requires Microsoft
URL Rewrite Module for IIS
Download: https://www.iis.net/downloads/microsoft/url-rewrite
Debug Help: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-failedrequest-tracing-to-trace-rewrite-rules --> [...]
I've done some research and web.config seems to be related to Microsoft rather than Ubuntu/Apache so cannot be found on the server. The links included in Data Received are all related to IIS which I don't believe are helpful in this case.
It seems a possible solution is to block access to web.config using the .htaccess, but not sure how that will work if there is no web.config file on the server or .htaccess as the website in question doesn't require a .htaccess file so doesn't have one.
Has anyone come across an issue like this before or know a way to secure this vulnerability? Maybe it is a false positive in the security scan also.
Apologies if I'm missing some information, please let me know and I'll update 
Thanks a million in advance |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 18 Oct '21 16:30 Post subject: |
|
|
| Code: | | RewriteRule ^web.config$ - [F] |
This does the trick. It might be even easier to delete that file. |
|
| Back to top |
|
MelB
Joined: 13 Oct 2021
Posts: 3
Location: Ireland
|
| Posted: Wed 20 Oct '21 10:16 Post subject: |
|
|
Thanks so much for getting back to me! Can I just clarify that you'd add this to the apache.conf file?
I'd delete the web.config file but I can't actually find it on the server but I'll try your fix first! Thanks again |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 25 Oct '21 21:05 Post subject: |
|
|
You can add that into vhost config for .htaccess file in the document root. DonÄt forget to enable mod_rewrite enable Rewrite
RewriteEngine On |
|
| Back to top |
|
|
|
|
|
|
