Magento Directory Listing

medium Web App Scanning Plugin ID 98986

Language:

Synopsis

Magento Directory Listing

Description

The scanner has detected publicly accessible directory listings on the Magento web application. This may expose sensitive information to an attacker which may allow for further exploitation techniques to be leveraged, possibly leading to sensitive information leakage or a compromise of the target server.

Solution

Ensure requests to sensitive resources and directories are blocked using .htaccess files or by using a WAF for example.

See Also

https://docs.magento.com/m1/ce/user_guide/magento/magento-security-best-practices.html

Plugin Details

Severity: Medium

ID: 98986

Type: remote

Family: Web Applications

Published: 3/20/2020

Updated: 11/22/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 548

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1

WASC: Directory Indexing

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-4.3.2

PCI-DSS: 3.2-6.5.8