James Curry

150004 Path-Based Vulnerability - possible false detection?

Discussion created by James Curry on Jun 13, 2017
Latest reply on Jun 14, 2017 by Busby

150004 Path-Based Vulnerability - possible false detection?

 

I ran the Qualys scan recently and it reported 10 counts of path disclosure.  The vulnerability is showing up because we are getting a response of 200 when hitting any URL within our site.  

 

If you are logged in before attempting to access one of the vulnerable sites listed by Qualys it returns a 404 because the site doesn't exist.

Examples: 

   https://domain.com/JobManagement.old

   https://domain.com/JobManagement.orig

 

Example of the 404

 

If you are aren't logged in before attempt to access one of the above sites it returns a 200 and redirects you to our single sign on page so that the user can log in before attempting to redirect the user to the site they requested which will in turn return a 404.

 

Example of the 200 redirected to CAMS/Single Sign On

 

Is this possibly a false positive?

 

Thanks

Outcomes