The web application exposes files to the client. Some of these files are not essential for the working of the application. Furthermore, these files expose details of the inner working of the application. This information can aid in exploiting other vulnerabilities.

Impact

Some technical information about the application can be obtained.

KSP violation

YES: KSP-RE-266 v1.0

Evidence

The following steps can be used to exploit this vulnerability:

1. Browse to the following URL: https://CAPC:8443/pc/extjs/

2. The ExtJS default interface is shown. The /examples/ endpoint is not available, denying further exploitation of this component.

Recommendation

 Only deploy or install services, middleware and programs which are essential to the correct working of the application. If partial installations are not possible, non-essential services and functionality should be removed or disabled.

 Use a subdirectory of the project as the webroot, so that adding a file to the project does not automatically expose it to the internet.

 Reflect the above in the security baseline of the host in order to prevent the same finding in future assessments. The security baseline must be applied every time a host is taken into production.

How this view can be disabled in Performance Center?