web.config File Information Disclosure #1812

New Issue

OVERLORD · 2026-02-05T01:56:58+03:00

OVERLORD commented

2026-02-05 01:56:58 +03:00

Originally created by @isgroup on GitHub (Jul 31, 2020).

Describe the bug

When BookStack is installed on an Apache system the "web.config" file is not parsed and exposed. While this has no impact as "web.config" contents are known, BookStack's users will get a Medium severity issue from well-known security scanners.

A simple and effective solution is to disable access to "web.config" in the ".htaccess". This will work both on Apache and IIS.

Steps To Reproduce

GET /web.config HTTP/1.1 on an Apache installation.

Expected behavior

Ensure proper restrictions are in place, or remove the web.config file if the file is not required.

Screenshots

N/A

Your Configuration (please complete the following information):

BookStack Docker Version (latest)

Additional context

An information disclosure vulnerability exists in the remote web server due to the disclosure of the web.config file. An unauthenticated, remote attacker can exploit this, via a simple GET request, to disclose potentially sensitive configuration information.

Originally created by @isgroup on GitHub (Jul 31, 2020). **Describe the bug** When BookStack is installed on an Apache system the "web.config" file is not parsed and exposed. While this has no impact as "web.config" contents are known, BookStack's users will get a Medium severity issue from well-known security scanners. A simple and effective solution is to disable access to "web.config" in the ".htaccess". This will work both on Apache and IIS. **Steps To Reproduce** `GET /web.config HTTP/1.1` on an Apache installation. **Expected behavior** Ensure proper restrictions are in place, or remove the web.config file if the file is not required. **Screenshots** N/A **Your Configuration (please complete the following information):** BookStack Docker Version (latest) **Additional context** An information disclosure vulnerability exists in the remote web server due to the disclosure of the web.config file. An unauthenticated, remote attacker can exploit this, via a simple GET request, to disclose potentially sensitive configuration information.

OVERLORD closed this issue

2026-02-05 01:57:00 +03:00

OVERLORD commented

2026-02-05 01:57:04 +03:00

@ssddanbrown commented on GitHub (Dec 11, 2020):

Thanks for reporting @isgroup.

To be honest though, I don't really want to go to any additional effort just to prevent a potential warning in overly sensitive/alertive auto scanners.

The web.config file supplied with BookStack is public. Although I'm not that familiar with IIS, as far as I can tell hiding the file won't really provide any additional benefit, especially when done on a webserver (Apache) that does not even support that config file format.

@ssddanbrown commented on GitHub (Dec 11, 2020): Thanks for reporting @isgroup. To be honest though, I don't really want to go to any additional effort just to prevent a potential warning in overly sensitive/alertive auto scanners. The `web.config` file supplied with BookStack is public. Although I'm not that familiar with IIS, as far as I can tell hiding the file won't really provide any additional benefit, especially when done on a webserver (Apache) that does not even support that config file format.

OVERLORD commented

2026-02-05 01:57:08 +03:00

@isgroup-srl commented on GitHub (Dec 11, 2020):

Hi Dan, thanks for your response.

I have the impression that you did not understood the proposed solution solution: since Apache does not even support that config it's totally safe to forbid access to "web.config". No nasty side effect and it will save users from compliance headaches from overly sensitive/alertive auto scanners, that sadly are commonly used. A 404 could be returned.

Naturally, I agree that this is a very low priority and has an actual security impact only in edge-cases that does not correspond to the currently shipped configuration (the file is public and it doesn't contain sensitive information).

BTW, very cool software!

For future reference:

@isgroup-srl commented on GitHub (Dec 11, 2020): Hi Dan, thanks for your response. I have the impression that you did not understood the proposed solution solution: since Apache does not even support that config it's totally safe to forbid access to "web.config". No nasty side effect and it will save users from compliance headaches from overly sensitive/alertive auto scanners, that sadly are commonly used. A `404` could be returned. Naturally, I agree that this is a very low priority and has an actual security impact only in edge-cases that does not correspond to the currently shipped configuration (the file is public and it doesn't contain sensitive information). BTW, very cool software! For future reference: - https://www.drupal.org/project/drupal/issues/2948579 - https://stackoverflow.com/questions/42949438/restrict-download-of-htaccess-and-web-config-files

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1812