Product: TIBCO Spotfire Server
Versions: 7.5 and higher
Summary:
Web security and vulnerability scanners such as HP Webinspect may report files with file extension .gz as risks. The files listed in this article are not backup files, do not contain any sensitive data and do not expose any risk.
Details:
Web security and vulnerability scanners such as HP Webinspect may report files with file extention .gz as risks.
Example report:
Webinspect has detected an archive file with the .gz extension on the target server. The severity of the threats posed by the web-accessible backup files depends on the sensitivity of the information stored in original document. Based on that information, an attacker can gain sensitive information about the site architecture, database and network access credential details, encryption keys, and so forth from these files. The attacker can use information obtained to craft precise targeted attacks, which may not otherwise be feasible, against the application.
Spotfire has a number of files that end with .gz available on the following URLs that may be reported as security threats.
- http(s)://hostname/spotfire/resources/min/app-lib.css.gz
- http(s)://hostname/spotfire/resources/min/app.css.gz
- http(s)://hostname/spotfire/resources/min/third-party.js.gz
- http(s)://hostname/spotfire/resources/min/app.js.gz
- http(s)://hostname/spotfire/resources/min/customization.js.gz
These files are not backup files, do not contain any sensitive data and do not expose any risk at all.
The *.gz files are precompressed versions of files without the .gz extensions that exist in the the same folder. The purpose of these files is to speed up downloads and to reduce the need for the web server to compress static files.
Resolution:
No action should to be taken as the files are not leaving the system at risk in any way.
It is possible to delete the files as long as corresponding files without the .gz extension are left intact. However without them the server will require more CPU resources to compress data while in operation and it may make the end user experience worse due to longer transfer times.
Comments
0 comments
Article is closed for comments.