A web directory was found to be browsable (Cobbler)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Released
|
Low
|
Anton Chevychalov |
Bug Description
Detailed bug description:
"A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found:
* via page spidering (following hyperlinks), or
* as part of a parent path (checking each directory along the path and searching for ""Directory Listing"" or similar strings), or
* by brute forcing a list of common directories.
Browsable directories could allow an attacker to perform a directory traversal attack by viewing ""hidden"" files in the web root, including CGI scripts, data files, or backup pages."
Steps to reproduce:
"HTTP request to https:/
HTTP response code was an expected 200
5: </head> 6: <body> 7: <h1>Index of /icons</h1> 8: <table> 9: ...CO]"
Expected results:
No directory and no items index is provided.
Apache HTTPD
Disable web directory browsing for all directories and subdirectories
In your httpd.conf file, disable the "Indexes" option for the appropriate <Directory> tag by removing it from the Options line.
tags: | added: customer-found |
Changed in fuel: | |
assignee: | nobody → MOS Maintenance (mos-maintenance) |
importance: | Medium → Low |
Changed in fuel: | |
assignee: | MOS Maintenance (mos-maintenance) → Anton Chevychalov (achevychalov) |
Changed in fuel: | |
status: | Fix Committed → In Progress |
Changed in fuel: | |
status: | In Progress → Fix Committed |
Fix proposed to branch: 8.0 /review. fuel-infra. org/32993
Change author: Anton Chevychalov <email address hidden>
Review: https:/