• State Suggested Answer
  • Replies replies
    3
  • Answers answer
    1
  • Subscribers subscribers
    18
  • Views views
    88
  • Users 0 members are here
Related Discussions
Options

Web Server Misconfiguration: Unprotected File (VulnID 11405) with dll.gz

KSKrug

Good morning. 

I ran a scan with WebInspect on an application with ASP.NET and Blazor and found a huge number of these unprotected files flagging them as a High vulnerability. 
The developers insist that they contain no protected data and that they are required to be this way due to the user experience if the server needs to decompress these files before presenting them to the user. I am not a developer so I don't really know if these should be marked as such or just ignored in the report. 

This is a critical application that is in the final stages of deployment, so any help here is welcomed. What I would like to know is if anyone else has come across this particular use case and what you did with them. 

Thank you for your time.

Kahn

  • Suggested Answer

    0 Micro Focus Employee

    WebInspect flags on any files accessible with a .gz extension. As these are commonly backup files, we are alerting to the potential of that file containing sensitive or protected information

    WebInspect alerts on both confirmed/verified vulnerabilities and potential vulnerabilities that may need further investigation. Appears you followed the process in this instance. You were alerted by WebInspect and brought this to the attention of the developers. The developers confirmed there was no PII or sensitive information contained in the file.

    Based on this, I would add a vulnerability note then either

    • change the severity of the vulnerability,
    • mark this finding as
      • a false positive or
      • ignored
  • 0
    in reply to ebell

    If I change the severity of this vulnerability, would that affect this VulnID in subsequent scans? Or just for this particular application?

  • 0 Micro Focus Employee
    in reply to KSKrug

    When you change the vulnerability in WebInspect, it is for that scan and its children (rescans). It will not affect the default policy or the vulnerability for use in other scans.

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.