I have run a Qualys Web Application Scan for a customer website and found the "Path Disclosure Path-Based Vulnerability".
If the normal URL is like this http://example.com/
When I go to the URL http://example.com/m/templates/
I can find the files and directory in there and navigate in the server.
In my report I have to give the "solution". So the question is, how to fix this vulnerability?
The feature you need to disable is usually called "directory browsing", and the method for doing so depends on which web server your customer uses.
It is usually a simple configuration change. Look at these instructions for Apache and IIS, which are two of the more popular web servers. Every web server should have documentation that describes how to configure this setting.
Note that the customer may not have direct control over the application. Some applications automatically install a bundled web server, and some products are distributed as virtual machines. In these cases, the customer may be unable or unwilling to configure the web server directly.
If these cases, your customer may contact the vendor for assistance or ignore the finding.
