• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 279
  • Last Modified:

Default/Sample Web Directories Exist

Many web directories that are installed by default contain sample files that were not meant for external access. These files could contain potentially sensitive system or propriety information that could be accessible by an external attacker. In addition a lot of these sample files and folders are vulnerable to known exploits and attacks that, at a minimum, could result in a denial of service attack, or lead to complete system compromise in a worst case scenario.
0
Brijeshk9
Asked:
Brijeshk9
1 Solution
 
TintinCommented:
Nice statement.  Did you have a question?
0
 
Brijeshk9Author Commented:
its one of the Website Vulnerabilities identified by scanner, Now i need solution on it....?
0
 
agriesserCommented:
Depending on the Apache version you're running, you can simply shut off these directories (like the documentaion alias, etc.) unload unneeded server modules like the serverinfo and status modules, etc.

To disable/modify virtual host configurations on Apache2 based webservers, go to the directory "/etc/apache2/sites-enabled", look through all the symlinks in there and remove the ones you don't need.
Don't worry, if you accidentally deleted one they're still there in the "/etc/apache2/sites-available" directory and can be re-established with the command `ln -s /etc/apache2/sites-enabled/NAME /etc/apache2/sites-available/NAME`.

Then, when you have tuned your webserver configuration, you can have a look at the modules that are loaded in your server and wipe out the ones that are not needed. The enabled modules are (like the VHosts) in a separate directory which is called /etc/apache2/mods-enabled (vs. /etc/apache2/mods-available where all available modules are listed) and remove the ones you don't need.

After you're done, reload the apache configuration with `/etc/init.d/apache2 reload` and run your scanning tool again to find out if things got better.

Unfortunately, without knowing what your scanning tool has mentioned as security flaws I cannot give you an exact answer about what to disable and what not. That also mostly depends on what your applications need from your webserver.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Brijeshk9Author Commented:
Please find the below given evidences given by scanning Tool:..
http://XX.XX.XX.XX/uddi/ 
http://XX.XX.XX.XX/help/index.htm
http://XX.XX.XX.XX/uddi/inquiry
http://XX.XX.XX.XX/uddi/demo/jsp/searchForm.jsp
[NOTE: WHERE XX IS MENTIONED AS IP]
0
 
Jason C. LevineNo oneCommented:
Did you create those directories and files or were they installed by default?

If you created them, ignore the warning.  If they were installed by default then agriesser has already provided the solution.
0
 
ahoffmannCommented:
> Now i need solution on it..
I'm pretty sure the scanner told you what should be done (otherwise get your money back:)

Anyway, you either simply have to remove the default web site, or configure the web server to deny access to it.
0
 
Brijeshk9Author Commented:
Problem resolved
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now