Summary

Acunetix 360 identified a Directory Listing (Tomcat).

The web server responded with a list of files located in the target directory.

Impact

An attacker can see the files located in the directory and could potentially access files which disclose sensitive information.

Actions To Take

  1. Change your web.xml file. A secure configuration for the requested directory should be similar to the following:
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
  2. Configure the web server to disallow directory listing requests.
  3. Ensure that the latest security patches have been applied to the web server and the current stable version of the software is in use.

Severity

Information

Classification

CAPEC-127 CWE-548 ISO27001-A.9.4.1 WASC-16 OWASP 2013-A5 OWASP 2017-A6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C