-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0405
Ulrich Berntien edited this page Sep 6, 2020
·
2 revisions
"Config file being served at: ${url}"
In the message output the variable ${url} is replaced by the served URL of the configuration file.
Configuration files of the web server or other programs running on the server should not be published by the web server. A possible attacker should not get information of the internal settings of the web server.
Current (August 2020) the twa script checks the files: 'config.xml', 'config.json', 'config.yaml', 'config.yml', 'config.ini' and 'config.cfg'.
Configure the web server to not publish files with internal data.
There exists several configuration options to suppress files with name (pattern) in a blacklist or files not in whitelist. Search the web for examples.