ASP.NET config file enables directory browsingΒΆ
ID: cs/web/directory-browse-enabled
Kind: problem
Security severity: 6.5
Severity: warning
Precision: very-high
Tags:
- security
- external/cwe/cwe-548
Query suites:
- csharp-code-scanning.qls
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
ASP.NET applications that enable directory browsing can leak sensitive information to an attacker. The precise nature of the vulnerability depends on which files are listed and accessible.
RecommendationΒΆ
If this configuration may be used in production, remove the directoryBrowse element from the Web.config file or set the value to false.
ExampleΒΆ
The following example shows the directoryBrowse enable attribute set to true in a Web.config file for ASP.NET:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.webServer>
<directoryBrowse enable="true"/>
...
</system.web>
</configuration>
To fix this problem, the enable attribute should be set to false, or the directoryBrowse element should be removed completely:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.webServer>
<directoryBrowse enable="false"/>
...
</system.web>
</configuration>
ReferencesΒΆ
MSDN: directoryBrowse element.
Common Weakness Enumeration: CWE-548.