0

we have a website hosted on a server with nginx webserver.

Now , we have a file called web.config in /var/www/html/

So, when we gave security audit for the servers, they have recommended like:

web.config File Information Disclosure
Ensure proper restrictions are in place, or remove the web.config file if the file is not required. Nessus was able to exploit the issue using the following request :
GET /web.config HTTP/1.1

So, even If I have change permission to read only also, I am able to download the data from browser.

What can be done here, Should we delete the file or can i get any alternative to make the file restricted so the file can exist with restrictions.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Ravi Teja RVN
  • 1
  • 2

1 Answers1

0

Typically a web.config is used to configure IIS and the ASP.NET web applications, a bit similar to how .htaccess files are used to configure Apache httpd, although a web.config will often contain more privileged information such as a database connection string with credentials.

On IIS public access to the web.config is blocked by default, similar to how apache httpd by default blocks access to .htaccess files.

For nginx neither web.config nor .htaccess files have any special meaning and therefor by default access to them is not blocked.

There are several solutions:

  • The finding is mostly a false positive as a web.config serves no purpose on nginx. It can simply be deleted to make the auditor happy, but there was no real information disclosure there. (Maybe it is an artifact left from the past when the application was still running on IIS?)

  • The finding is genuine. Some developers use a web.config file to store settings for their applications, regardless of the language/platform they're using for their project.

    • Ideally the developer adjusts their application such that settings don't need to be stored in the webroot.

    • Using file system permissions to block access to nginx is usually not possible, as the web application(s) still need to access that file.

    • Nginx can be used to block public access and the URL path:

      # Allow access to the ACME Challenge for Let's Encrypt
location ~ /\.well-known\/acme-challenge {
  allow all;
}

# Deny all attempts to access hidden files
# such as .htaccess, .htpasswd, .git etc. etc. 
location ~ /\. {
   deny all;
}

# Deny all attempts to access to web.config configurations
location ~ /web.config {
    deny all;
}
HBruijn
  • 72,524
  • 21
  • 127
  • 192