Netware web access false positive

[digininja]

Page is a 404 but reported as there. This is on the same 404 page as the cfcache issues.

Test ID:        000330
OSVDB ID:       0
Message:        /servlet/webacc?User.html=noexist: Netware web access may reveal full path of the web server. Apply vendor patch or upgrade.
Reason:         Content Match
-----------------------------------------------------------------------
                          Request
-----------------------------------------------------------------------
GET /servlet/webacc?User.html=noexist HTTP/1.1
Connection: Keep-Alive
Host: aaa.xxx.co.uk
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:000330)

-----------------------------------------------------------------------
                          Response
-----------------------------------------------------------------------
HTTP/1.1 404 Not Found
cache-control: private
content-type: text/html; charset=UTF-8
server: Microsoft-IIS/7.5
set-cookie: ASP.NET_SessionId=leortn45qd4htf45g4jo3r45; path=/; HttpOnly
x-aspnet-version: 2.0.50727
x-powered-by: ASP.NET
date: Tue, 12 Apr 2016 22:35:20 GMT
content-length: 24604

[sullo]

Similarly, this should match on "templates\/" in the response--which I admit is pretty common.

It's possible the 404 match here didn't trigger because the 404 response checker would have looked at a file with no extension at / and not /servlet/. Unless we rewrite how that works (we should, and I think there's an open ticket) there's not a lot that can be done for the override except on a check-by-check basis, which sucks. I've put an explicit 404 in for this check as a stopgap.