Web Server Misconfiguration: Unprotected File (VulnID 11405) with dll.gz

Good morning. 

I ran a scan with WebInspect on an application with ASP.NET and Blazor and found a huge number of these unprotected files flagging them as a High vulnerability. 
The developers insist that they contain no protected data and that they are required to be this way due to the user experience if the server needs to decompress these files before presenting them to the user. I am not a developer so I don't really know if these should be marked as such or just ignored in the report. 

This is a critical application that is in the final stages of deployment, so any help here is welcomed. What I would like to know is if anyone else has come across this particular use case and what you did with them. 

Thank you for your time.

Kahn

  • Suggested Answer

    WebInspect flags on any files accessible with a .gz extension. As these are commonly backup files, we are alerting to the potential of that file containing sensitive or protected information

    WebInspect alerts on both confirmed/verified vulnerabilities and potential vulnerabilities that may need further investigation. Appears you followed the process in this instance. You were alerted by WebInspect and brought this to the attention of the developers. The developers confirmed there was no PII or sensitive information contained in the file.

    Based on this, I would add a vulnerability note then either

    • change the severity of the vulnerability,
    • mark this finding as
      • a false positive or
      • ignored
  • If I change the severity of this vulnerability, would that affect this VulnID in subsequent scans? Or just for this particular application?

  • When you change the vulnerability in WebInspect, it is for that scan and its children (rescans). It will not affect the default policy or the vulnerability for use in other scans.