Hello,
We have performed a pentest to openkm app, and there were two issues that need to be fixed related to webservices page.
The first issue: lack of authentication to access the url www.url.com/OpenKM/services. The recommended mitigation action was to either setup authentication on this page or disable it.
May you guide us please on how to perform one of these two actions?
The second issue: technical information disclosure, also on /OpenKM/services/* and /OpenKM/services/rest/swagger.json.
The mitigation action proposed for this one is either define customized error messages, or generate exceptions at the code level and not send these info to the client browser.
Do you have any recommendation to perform this action?
Thanks in advance
We have performed a pentest to openkm app, and there were two issues that need to be fixed related to webservices page.
The first issue: lack of authentication to access the url www.url.com/OpenKM/services. The recommended mitigation action was to either setup authentication on this page or disable it.
May you guide us please on how to perform one of these two actions?
The second issue: technical information disclosure, also on /OpenKM/services/* and /OpenKM/services/rest/swagger.json.
The mitigation action proposed for this one is either define customized error messages, or generate exceptions at the code level and not send these info to the client browser.
Do you have any recommendation to perform this action?
Thanks in advance