This article describes the discovery of Backup File Disclosure vulnerability observed on FortiOS 7.0.x, 7.2.x, 7.4.x and v7.6.x by Nessus Vulnerability Scanner.

(See Backup Files Disclosure - Tenable documentation).

This has been confirmed to be a false positive response as the FortiOS web server would reply to an invalid path HTTP request with HTTP 404 error:

The user can also attempt to download the file by using an external tool such as wget or curl. The tool used will be wget, as an example:

> wget.exe -S --no-check-cert https://<FortiGate_IP>/.htaccess

The command above will download the .htaccess file into the folder where this command is run. Unzip the file downloaded and it will be possible to review the content in the unzipped file.

Viewing the file will confirm that the file served by FortiGate is just an index.html file compressed with gzip that redirects to the login page via javascript.

To view the content of the file, gzip can be used in lLnux:

> gzip -cd .htaccess

As a result, this has been confirmed to be a false positive discovery on v7.0.x, v7.2.x,v 7.4.x and v7.6.x.