Fixing/hiding Path Based Vulnerabilities in WordPress

2.3k views Asked by At

I have a WordPress site that I manage. I recently received a Qualys vulnerability security scan (non-authenticated scan) that has a large number of "Path Based Vulnerability" findings. Almost all of the paths listed follow this format:

https://www.example.com/search/SomeString

https://www.example.com/search/1/feed/rss2

Some examples include:

https://www.example.com/search/errors

https://www.example.com/search/admin https://www.example.com/search/bin

When I go to these URL's, I get an appropriate search page response stating, for example, "Search for Admin produced no results".

But, if I go to https://www.example.com/search/ without a string parameter, I get a 404 error (custom error page) stating the page could not be found. All this works like I would expect it to. No sensitive data/pages are being shown.

An example of the Qualys finding is:

150004 Path-Based Vulnerability URL: https://www.example.com/search/1/feed/rss2/ Finding # 8346060(130736429) Severity Confirmed Vulnerability - Level 2 Unique # redacted Group Path Disclosure Detection Date 22 Mar 2021 18:16 GMT-0400 CWE CWE-22 OWASP A5 Broken Access Control WASC WASC-15 APPLICATION MISCONFIGURATION WASC-16 DIRECTORY INDEXING WASC-17 IMPROPER FILESYSTEM PERMISSIONS CVSS V3 Base 5.3 CVSS V3 Temporal5 CVSS V3 Attack VectorNetwork

Details Threat A potentially sensitive file, directory, or directory listing was discovered on the Web server.

Impact The contents of this file or directory may disclose sensitive information.

Solution Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Detection Information Parameter No param has been required for detecting the information. Authentication In order to detect this vulnerability, no authentication has been required. Access Path Here is the path followed by the scanner to reach the exploitable URL: https://www.example.com https://www.example.com/?s=1

Payloads

#1
#1 Request
GET https://www.example.com/search/tools/
Referer: https://www.example.com
Cookie: [removed in case its sensitive];
caosLocalGa= [removed in case its sensitive];
Host: https://www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1

Safari/605.1.15 Accept: /

Based on the findings, this seems to be a false positive. But, my CIO insists that I prove it as such. First, is there any documentations on this that might be helpful? Second, does anyone know of any updates to WP that could hide/remove these findings?

1

There are 1 answers

0
user2891127 On

(I'd comment, but my rep isn't high enough.)

I can partially answer this, as I fighting the same battle right now with a different web app. If you run the request in a browser with the developer tools on, I'll bet you'll see the response code from the server is 200 even though it is actually doing a redirect.

The scanner sees the response code is OK and based on that, the request succeeded as is when it really didn't. You have to give it a different response code when doing a "silent" redirect.