Recently we have run some Security scan report on one of our web-application and it has one issue reported as a path-based vulnerability. The scenario is as follows.
The request URL which our application intended to accept is www.host.com/what/ever/ourPage
but in security report shows that www.host.com/what/ever/ourPage.old
is a malicious URL even our application redirects the request to www.host.com/what/ever/ourPage
without any problem. This is what the security scan report says.
Threat A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact The contents of this file or directory may disclose sensitive information.
Solution Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.
We are using a number of tracking and campaign tools as well so not sure whether this is get appended by one of them.
Is it a good idea to block that kind of request and could I please know why?