I received a security scan from Fortify on a webapp (using SSL/HTTPS) written in Angular that I am working on and I have two questions (high risk issues) that I'm seeking help on.
- Access Control: Unprotected File - GET /fonts/fontawesome-webfont.ttf?4.3.0. So the webapp uses fontawesome icons and I'm guessing that the webfont files being accessible is the problem? I'd first like clarification that my understanding is correct. Then, is there anything I can do? If I change the permissions, I can stop the access to the file, but then the icons don't display! Is it really a high security risk that the webfont files are unprotected?
- Password Management: Insecure Submission - GET /templates/some_file.html?user=12345&pwd=12345. The webapp at a certain point will pop up a modal that requests a username and password. 'user' and 'pwd' are from the name field and I don't know if simply removing the name fields from the inputs would solve this problem? The other thing that I've already done is take all the html files that are not index.html and built them (using grunt) into a javascript file, so now you can't just access /templates/some_file.html and I don't know if that solves this problem as well?
Finally, I see CWE numbers which I'm unclear as to if these correspond to CVE numbers that I've seen mentioned on sites? When I receive a report like this, is there a site I can go to that explains these issues in detail so that I may learn about them?
Best Regards, Julie