Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section Web Server
  • Search

is /.well-known/acme-challenge/ an xss risk

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
Post Reply
  • Print view
Advanced search
2 posts • Page 1 of 1
moneer
Posts: 3
Joined: Tue Jul 25, 2017 9:29 am

is /.well-known/acme-challenge/ an xss risk
  • Quote

Post by moneer » Thu Aug 02, 2018 12:00 pm

Hi,
I use https://detectify.com to scan of any possible vulnerabilities, the site gives me that /.well-known/acme-challenge/ is an xss risk and an attacker can inject JavaScript into the victim's browsers, which will execute under the vulnerable domain.

is that real?
and if that real, why it is allowed to be accessed from every one,
Can I remove it, or deny access to it?

I think Lets encrypt read the file only once, then it did not need it.
please help me in this to be more clear to me and others too?
Top
ScIT
Moderators
Posts: 573
Joined: Mon Feb 23, 2015 4:13 pm

Os: Ubuntu 16x
Web: apache + nginx
Re: is /.well-known/acme-challenge/ an xss risk
  • Quote

Post by ScIT » Sat Aug 04, 2018 6:49 pm

this is a false positive, the access to this directory is limited to plain text only.
Top
Post Reply
  • Print view
2 posts • Page 1 of 1

Return to “Web Server”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password