Apache Lounge


About Forum Index Downloads Search Register Log in  RSS Apache Lounge  

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.

Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Security Scan: web.config File Information Disclosure

Joined: 13 Oct 2021
Posts: 2
Location: Ireland

PostPosted: Wed 13 Oct '21 13:28    Post subject: Security Scan: web.config File Information Disclosure Reply with quote

Hi there

Apache2 version: Apache/2.4.51
Ubuntu: 20.04
PHP: 7.4.24

I'm new to working with Apache and on the servers and am trying to secure a new Apache server. After IT ran a security scan with SecurityMetrics on one of our websites, we are getting a result of 5 with the following vulnerability bringing our score down:

web.config File Information Disclosure
Synopsis: The remote web server hosts an application that is affected by an information disclosure vulnerability.
Resolution: Ensure proper restrictions are in place, or remove the web.config file if the file is not required.
Data Received: SecurityMetrics was able to exploit the issue using the following request : GET /web.config
HTTP/1.1 Host: WEBSITE.co.uk Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,
*/* This produced the following truncated output (limited
to 5 lines) : ------------------------------ snip ------------------------------
<!-- Rewrites requires Microsoft
URL Rewrite Module for IIS
Download: https://www.iis.net/downloads/microsoft/url-rewrite
Debug Help: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-failedrequest-tracing-to-trace-rewrite-rules --> [...]

I've done some research and web.config seems to be related to Microsoft rather than Ubuntu/Apache so cannot be found on the server. The links included in Data Received are all related to IIS which I don't believe are helpful in this case.

It seems a possible solution is to block access to web.config using the .htaccess, but not sure how that will work if there is no web.config file on the server or .htaccess as the website in question doesn't require a .htaccess file so doesn't have one.

Has anyone come across an issue like this before or know a way to secure this vulnerability? Maybe it is a false positive in the security scan also.
Apologies if I'm missing some information, please let me know and I'll update Smile

Thanks a million in advance
Back to top
James Blond

Joined: 19 Jan 2006
Posts: 7006
Location: Germany, Next to Hamburg

PostPosted: Mon 18 Oct '21 16:30    Post subject: Reply with quote

RewriteRule ^web.config$ - [F]

This does the trick. It might be even easier to delete that file.
Back to top

Joined: 13 Oct 2021
Posts: 2
Location: Ireland

PostPosted: Wed 20 Oct '21 10:16    Post subject: Reply with quote

Thanks so much for getting back to me! Can I just clarify that you'd add this to the apache.conf file?

I'd delete the web.config file but I can't actually find it on the server but I'll try your fix first! Thanks again
Back to top

Reply to topic   Topic: Security Scan: web.config File Information Disclosure View previous topic :: View next topic
Post new topic   Forum Index -> Apache