Web Server Misconfiguration: Unprotected File (Archived File (*.zip))

Browse to ~FullURL~ and inspect the content. Response should be a return with HTTP status code 200 and should not match target site’s file not found 

瀏覽到 ~FullURL~ 並檢查內容。回應應該是帶有 200 的 HTTP 狀態代碼，且不應該匹配目標網站的「file not found」。

測試語法

GET /download/ITA.profile.zip HTTP/1.1<br>Referer: http://10.107.34.210/download/ITA.profile<br>Accept: */*<br>Pragma: no-cache<br>Accept-Encoding: gzip, deflate<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0<br>Host: 10.107.34.210<br>Connection: Keep-Alive<br>X-WIPP: AscVersion=21.1.0.137<br>X-Scan-Memo: Category="Audit.Attack";SID="466EE4A3D64AA3AC4E0FDB0D25D05C28";PSID="E2467669A920E8441F38DD1FA60BD2A4";SessionType="AuditAttack";CrawlType="None";AttackType="Search";OriginatingEngineID="aabf09b7-996e-479e-9ecc-9f0508d42d72";AttackSequence="0";AttackParamDesc="";AttackParamIndex="0";AttackParamSubIndex="0";CheckId="11415";Engine="File+Extension+Addition";SmartMode="4";tht="30";<br>X-RequestManager-Memo: stid="9";stmi="0";sc="1";rid="9229d169";<br>X-Request-Memo: rid="5d6377d5";sc="1";thid="19";<br>Cookie: CustomCookie=WebInspect178410ZX4BBFA2A7A33648B88064C060E2F1903BY0736<br><br>

回應

HTTP/1.1 200 OK<br>Date: Mon, 03 Oct 2022 10:53:26 GMT<br>Server: Apache<br>Last-Modified: Sun, 02 Oct 2022 13:00:03 GMT<br>Accept-Ranges: bytes<br>Content-Length: 51<br>X-Frame-Options: SAMEORIGIN<br>X-XSS-Protection: 1; mode=block<br>Keep-Alive: timeout=5, max=33<br>Connection: Keep-Alive<br>Content-Type: application/zip<br><br><truncated>application/x-zip-compressed</truncated>

 Description:

Webinspect has detected an archive file with the .zip extension on the target server. The severity of the threats posed by the web-accessible backup files depends on the sensitivity of the information stored in original document. Based on that information, an attacker can gain sensitive information about the site architecture, database and network access credential details, encryption keys, and so forth from these files. The attacker can use information obtained to craft precise targeted attacks, which may not otherwise be feasible, against the application.

Webinspect 在目標服務器上檢測到擴展名為 .zip 的存檔文件。可通過 Web 訪問的備份文件所構成威脅的嚴重程度取決於存儲在原始文檔中的信息的敏感性。基於該信息，攻擊者可以從這些文件中獲取有關站點架構、數據庫和網絡訪問憑證詳細信息、加密密鑰等的敏感信息。攻擊者可以使用獲得的信息對應用程序進行精確的有針對性的攻擊，否則這可能是不可行的。

An attacker can use the information obtained from the backup file of a sensitive document to craft a precise targeted attack against the web application. Such attacks can include, but are not limited to, SQL injection, remote file system access to overwrite or inject malware, and database manipulation.

攻擊者可以使用從敏感文檔的備份文件中獲取的信息來對 Web 應用程序進行精確的針對性攻擊。此類攻擊可能包括但不限於 SQL 注入、遠程文件系統訪問以覆蓋或註入惡意軟件以及數據庫操作。

Recommendation:

Webroot Security Policy: Implement a security policy that prohibits storage of backup files in webroot.

Webroot 安全策略：實施禁止在 webroot 中存儲備份文件的安全策略。

Temporary Files: Many tools and editors automatically create temporary files or backup files in the webroot. Be careful when editing files on a production server to avoid inadvertently leaving a backup or temporary copy of the file(s) in the webroot.

Default Installations: Often, a lot of unnecessary files and folders are installed by default. For instance, IIS installations include demo applications. Be sure to remove any files or folders that are not required for application to work properly.

臨時文件：許多工具和編輯器會自動在 webroot 中創建臨時文件或備份文件。在生產服務器上編輯文件時要小心，以免無意中在 webroot 中留下文件的備份或臨時副本。

Development Backup: Source code back up should not be stored and left available on the webroot.

開發備份：源代碼備份不應存儲並留在 webroot 上可用。

Further QA can include test cases to look for the presence of backup files in the webroot to ensure none are left in publicly accessible folders of the web application.

進一步的 QA 可以包括測試用例，以查找 webroot 中是否存在備份文件，以確保沒有任何文件留在 web 應用程序的可公開訪問的文件夾中。

ServerRoot "/etc/httpd"

DocumentRoot "/srv/www/htdocs"

Alias /download/ "/home/cht_s/"

保護 Apache 中的文件夾

在httpd.conf上加AccessFileName .htaccess，以及在<Directory />...加上AllowOverride All。

為了保護特定文件夾，將 .htaccess 文件放置在希望被保護的目錄中。 .htaccess 文件中的規則和配置指令將在它所在的任何目錄以及所有子目錄中強制執行。然後在/home/cht_s下新增.htaccess如下所示：

AuthName "ITA_profile"
 AuthType Basic
 AuthUserFile "/home/cht_s/.htpasswd"
 require valid-user

相應的 .htpasswd 文件必須放在 AuthUserFile 指令定義的文件夾中。在這種情況下，它將位於“/home/cht_s/.htpasswd”目錄中。典型的 .htpasswd 文件如下所示：

pr:$apr1$clme56rh$7kbO8h94VA5UWBNpdayu80
pr1:$apr1$l76zf4jy$M7064lZwDjJjGigJ48fqP/
pr2:$apr1$f2dmapgz$C.8mBkD1DoUiBVJGaCfJM0

透過openssl passwd產生密碼

這方法不需要額外安裝其他程式就可以使用，輸入以下指令(其中/etc/apache2/.htpasswd為檔案產生位置 pr為使用者名稱):

sudo sh -c "echo -n 'pr:' >> /etc/apache2/.htpasswd"

接著輸入以下指令來產生密碼(會提示需要輸入密碼 輸入兩次密碼後 產生密碼到指定的位置)

sudo sh -c "openssl passwd -apr1 >> /etc/apache2/.htpasswd"

 最後重啟apache:

/etc/httpd/bin/apachectl restart

測試