Are these considered Vulnerabilities?

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Are these considered Vulnerabilities?

Post by hack3rcon » 2020/11/13 17:53:37

Hello,
I scanned my WordPress website with https://wpsec.com/ and scanner found below security Vulnerabilities:
WP-1.png
WP-1.png (29.02 KiB) Viewed 2524 times
WP-2.png
WP-2.png (57.52 KiB) Viewed 2524 times
When I click on the links then it shows me web directories like below:
WP-3.png
WP-3.png (43.79 KiB) Viewed 2524 times
Are they Vulnerabilities and Must I change Apache settings?

Thank you.

BShT
Posts: 583
Joined: 2019/10/09 12:31:40

Re: Are these considered Vulnerabilities?

Post by BShT » 2020/11/13 19:01:35

WordPress is probably one of the most scanned web applications for vulnerabilities

you MUST keep it updated and it´s plugins as well

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: Are these considered Vulnerabilities?

Post by tunk » 2020/11/14 15:33:31

No expert on this, but I think it's default to
list files when there's no index.html file in
a directory. You could try to remove "Indexes"
from the Options line in httpd.conf.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Are these considered Vulnerabilities?

Post by hack3rcon » 2020/11/15 12:24:58

Which part of the file?

Code: Select all

ServerRoot "/etc/httpd"
ServerName www.example.net
Listen 80
Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

IncludeOptional conf.d/*.conf

<IfModule mod_headers.c> 
  Header set X-XSS-Protection "1; mode=block" 
</IfModule>
And my Virtual Host is:

Code: Select all

<VirtualHost *:80>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
ServerAdmin root@localhost
ServerName www.example.net
ServerAlias www.example.net
DocumentRoot /var/www/WP
<Directory "/var/www/WP">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/WP_error.log
CustomLog /var/log/httpd/WP_access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.net [OR]
RewriteCond %{SERVER_NAME} =www.example.net [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect permanent / https://www.example.net

TraceEnable off
ServerSignature Off
RequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500
</VirtualHost>

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: Are these considered Vulnerabilities?

Post by tunk » 2020/11/16 11:09:30

Code: Select all

<Directory "/var/www/WP">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Are these considered Vulnerabilities?

Post by hack3rcon » 2020/11/16 16:24:21

tunk wrote:
2020/11/16 11:09:30

Code: Select all

<Directory "/var/www/WP">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
Thank you.
I used "Options -Indexes +FollowSymLinks" and I have a question. It will apply to all sub-directory too?

Post Reply