Support Article
Hidden directories detected based on HTTP error code returned
SA-18402
Summary
Hidden directories may be detected based on the HTTP error code returned by the server. If a directory does not exist an HTTP 404 message (not found) is returned.
However, if an HTTP 403 message is returned (forbidden) this conveys to the user that the directory exists. The difference in HTTP error codes allows an attacker to learn the directory structure of the server for use in a potential attack.
Error Messages
Not Applicable.
Steps to Reproduce
Not Applicable.
Root Cause
A third-party product issue: this is a security vulnerability and user must address at the IBM HTTP Server and plug-in level.
The Pega application is not involved in the HTTP 403 response, this is coming directly from the IBM HTTP Server which is based on the Apache web server.
Resolution
Here are some suggested changes for the operating environment. Each environment is different and this information must be reviewed by your security team before implementation:
1. Enable mod_rewrite.so module in your httpd.conf of Apache or IBM HTTP Server:
LoadModule rewrite_module modules/mod_rewrite.so
2. Turn on RewriteEngine and write RewriteRule:
RewriteEngine On RewriteRule ^/test/?$ /404 [L] RewriteRule ^/test?$ /404 [L]
Note: Test is your Alias or Directory which request will be forwarded to 404 (Not Found) request.
3. Restart Apache or IBM HTTP Server.
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.