3

After scanning my website with a automated tool I get this

enter image description here

Is this dangerous, is it a vulnerability or not? If yes what can an attacker do, how to fix it?

Test
  • 55
  • 8
  • You may find this question interesting:http://security.stackexchange.com/questions/4940/is-displaying-what-server-i-am-running-on-the-error-pages-a-security-risk – A. Darwin Apr 19 '16 at 18:52

1 Answers1

4

The error message discloses the full file path structure of this web app, and the versions of Apache, and your OS. That's a lot of info to hand an attacker.

The more specifics an attacker has, the more the attacker can custom-tailor their attacks. Best practise is to hide this information, but not to rely on secrecy as a means to protect yourself (security by obscurity). But blinding your attacker is better then handing him the blueprints to your server.

The standard "fix" for info disclosure in error messages is to create custom, generic error messages that do not include all this data.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • Or configure the web server to not emit the data in error reports, HTTP headers, etc. Which is usually a good idea unless you have some specific reason to make the data publicly available... – user Apr 19 '16 at 19:09