Got 200 on an URL that should gives a 404

I just passed my website made with Grav on the Spaghetti scanner.

It listed a lot of common used files and folders. I tried many of those knowing those files and folders didn't exist at all on my webserver.

Every links (like https://example.com/node.xml.zip) give a HTTP 200 with my homepage displayed ; it should be a 404.

It can be a SEO disaster and a pain in the 4ss to discover real vulnerabilities with a scanner…

I'm using the default .htaccess file, directly on a domain name.

Am I missing something ?

Regards

Solution

Turns out this is indeed an error with Grav. I opened an issue on Github and the bug has already been patched.

You should see a fix for this behavior in the next release.

Update:
As of the 1.3.8 release (October 27th, 2017), this bug fix has been officially released.

Laravel reverts to /public/ in URLs when trailing slashes are added
Laravel 8 misbehaves on trailing slash
How to properly make 301 redirect
Allow access to page only from certain referrer
How to enable .htaccess support with PHP-FPM, Nginx, and Apache2 on Ubuntu 24.04 with FastPanel?
Wordpress REST API (wp-api) 404 Error: Cannot access the WordPress REST API
htaccess rewrite rule 401
403 Forbidden and 500 Internal Server Error after moving Laravel to a new server without terminal access
Edit or create .htaccess file to redirect folder to a page
How can I make sure AuthName works in all browsers?
I call the PHP file in the subfolder, but the .htaccess uses a weird rewrite
map subfolder content to root with .htaccess
How to hide params passed in url using .htaccess
Redirecting to a subdomain from another domain without changing its URL
How can I remove “public/index.php” in the Laravel Url?
How do I hide my 'index' on my main page?
Best Practice: 301 Redirect HTTP to HTTPS (Standard Domain)
Flutter web 404 Not Found
How to Show a 503 Error for a Single Page
How to Show a 503 Error for a Specific URL on a Website Using .htaccess
How to get MAMP to read .htaccess files
Laravel | Shared hosting routes not working properly
How to redirect URL containing question mark and a specific string to the root domain with .htaccess
htaccess IP restriction and htpasswd
Wordpress 403/404 Errors: You don't have permission to access /wp-admin/themes.php on this server
Wordpress htaccess modrewrite
.htaccess 403 Forbidden
Forcing SSL in codeigniter with a helper
mod_rewrite: Error 500 triggered when URI contains an existing file without extension followed by /whatever when using REQUEST_FILENAME
Pretty URLs with .htaccess