Path-Based Vulnerability with webmail during PCI scan
Hi,
We were doing PCI scan for our Cpanel/WHM dedicated server and below vulnerability was found reported from vendor side. Is this really an issue? Or is it false positive?
VULNERABILITY DETAILS
CVSS Base Score: 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal Score: 1.9 E:F/RL:W/RC:C
Severity: 2
QID: 150004
Category: Web Application
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 2023-05-22 18:32:20.0
THREAT:
A file, directory, or directory listing was discovered on the Web server. These resources are confirmed to be present based on our logic. Some of the content on these
files might have sensitive information.
NOTE: Links found in 150004 are found by forced crawling so will not automatically be added to 150009 Links Crawled or the application site map. If links found in
150004 need to be tested they must be added as Explicit URI so they are included in scope and then will be reported in 150009. Once the link is added to be in scope (i.
e. Explicit URI) this same link will no longer be reported for 150004.
IMPACT:
The contents of this file or directory may disclose sensitive information.
SOLUTION:
It is advised to review the contents of the disclosed files. If the contents contain sensitive information, please verify that access to this file or directory is permitted. If
necessary, remove it or apply access controls to it.
RESULT:
url: https://domain.com:2096/
Payload: https://domain.com/webmail
comment: Found this Vulnerability for redirect link: https://domain.com:2096/. It was redirected from: https://domain.com/webmail/.
Original URL is: https://domain.com/
matched: HTTP/1.1 200 OK
-
You'll need to probably ask your PCI/security team if it is true vulnerability - automated scans can only do "so much".
However, the message does say that https://example.com/webmail redirects to https://example.com:2096 (as I would expect on a cPanel server) and that the page does return a "200 OK" (again as I would expect). The "vulnerability" listed is that "file, directory, or directory listing was discovered on the Web server" - so when you go to https://example.com:2096/ do you get a directory listing as the report says or do you actually get the Webmail login page (as I would suspect). If the latter, then it's a false positive.
0 -
Hi,
Thank you very much for the update. There is no file / directory listing enabled here. It shows login page.
0 -
I agree that this looks like a false positive from the scanning company.
1
Please sign in to leave a comment.
Comments
3 comments