Highly Rated and Recommended
We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews
| Issue: |
|
|---|---|
| Date: |
|
| Severity: | Critical |
| Requires Admin Access: | No |
| Fix Version: | 2.5.4 |
| Credit: | it.sec GmbH & Co. KG – Hans-Martin Münch & Markus Piéton |
| Description: |
A attacker can use the discovered scripts to obtain a information about the server and it’s configuration. Including the internal IP address, hostname and other dotCMS configuration parameters. This can be leveraged in later attacks to further attack the system. |
| Mitigation: |
Use a web application firewall that blocks external access to the unauthenticated scripts. These firewalls also blocks external access to .jsps and other URLs in the system that can be exploited. The firewalls can also attempt to filter any requests attempting to exploit XSS vulnerabilities in a customer’s implementation. We generally recommend using a firewall in this way. |
We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews