Struts 2 Config Browser plugin enabled

Severity: Medium
Summary#

Invicti detected that the web application is configured to use the Config Browser plugin. The Config Browser Plugin is a tool used to view the web application configuration at runtime. This plugin should be used only during development phase and access to it should be strictly restricted in production.

Impact#

The Config Browser plugin is exposing sensitive information that could help an attacker to conduct further attacks.

Actions To Take#

The Config Browser plugin can be disabled by removing the .jar file (usually named struts2-config-browser-plugin-*.jar) from WEB-INF/lib directory.

Invicti

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo