Global.asa backup file found
Description
The Global.asa file (or Global.asax for ASP.NET) is a configuration file used in IIS applications to define application-level and session-level event handlers, as well as declare globally accessible objects. This file typically resides in the application's root directory and is protected by the web server to prevent direct access by clients.
A backup copy of this file has been discovered that is publicly accessible. Because Global.asa files often contain sensitive information such as database connection strings, application logic, authentication mechanisms, and other configuration details, exposing a backup copy represents a significant information disclosure vulnerability.
Remediation
Take immediate action to remove or restrict access to the Global.asa backup file:
1. Remove the backup file from the web-accessible directory if it is no longer needed.
2. Restrict access using web server configuration if the file must remain on the server. For IIS, add the following to your web.config file:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Global.asa" />
<add segment="Global.asax" />
</hiddenSegments>
<fileExtensions>
<add fileExtension=".asa" allowed="false" />
<add fileExtension=".asax" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>3. Implement a backup policy that stores backup files outside the web root directory or in locations that are not publicly accessible.
4. Scan for other backup files with common extensions such as .bak, .old, .backup, .copy, or ~ that may also be exposed.
5. Review and rotate credentials if sensitive information such as database passwords or API keys were contained in the exposed file.