Hello, everyone
We had performed security checks by security metrics PCI scan. Currently it is fails with an issue below:
Title
Backup Files Disclosure
Synopsis
It is possible to retrieve file backups from the remote web server.
Impact
By appending various suffixes (ie: .old, .bak, ~, etc...) to the names of various files on the remote host, it seems possible to retrieve their contents, which may result in disclosure of sensitive information. See also : http://projects.webappsec.org/Predictable-Resource-Location
Resolution
Ensure the files do not contain any sensitive information, such as credentials to connect to a database, and delete or protect those files that should not be accessible.
Data Received
It is possible to read the following backup files : - File : /Home/ctl/SendPassword~ URL : https://mysite.com/Home/ctl/SendPassword~
...(and a long list of other same urls)...
Does anybody have any thoughts, how this should be resolved? We are on DNN9, Windows Server 2012 R2.
Thank you!