ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

source code disclosure SVN throws false positive #1498

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Name or identifier of scan rule: source code disclosure SVN

As many details as possible about the false positive:

I was given a report to evaluate, I have no access to the settings or version 
for ZAP used.

What I think happens is ... when an URL with 
http://host/dir/.svn/text-base/.svn-base or similar is requested and a 302 is 
returned and the destination URL returns a 200 ZAP assumes the URL exists. 

Sorry if this report is obsoleted by more recent versions. My intent is to find 
answers on suspicions which could not be validated against.

Original issue reported on code.google.com by joris.la...@gmail.com on 13 Jan 2015 at 10:52

GoogleCodeExporter commented 9 years ago

Original comment by kingtho...@gmail.com on 6 Mar 2015 at 12:57

GoogleCodeExporter commented 9 years ago

Original comment by kingtho...@gmail.com on 6 Mar 2015 at 12:57

GoogleCodeExporter commented 9 years ago
Code changes recently committed to resolve this, by not following redirects, 
and examining the response code more closely. Weekly releases after 2015-03-07, 
or version 2.4.0 or greater should not manifest this issue.

Original comment by colm.p.o...@gmail.com on 7 Mar 2015 at 10:39

GoogleCodeExporter commented 9 years ago
Fixed in 2.4.0

Original comment by psii...@gmail.com on 14 Apr 2015 at 11:03