Bug 1315763

Summary: Browsable web directory https://<server>:5000/icons/
Product: Red Hat Satellite Reporter: Dmitry Zhukovski <dzhukous>
Component: SecurityAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: low Docs Contact:
Priority: high    
Version: 6.1.7CC: bkearney, dcaplan, mmccune, saydas
Target Milestone: UnspecifiedKeywords: PrioBumpPM
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 18:57:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dmitry Zhukovski 2016-03-08 14:41:27 UTC
Description of problem:
Browsable web directory https://<server>:5000/icons/

Version-Release number of selected component (if applicable):
sat6.1.7

How reproducible:
Everytime

Steps to Reproduce:
1. Put https://<server>:5000/icons/ server can be either Sat server or capsule
2.
3.

Actual results:
Getting list of icons

Expected results:
access denied

Additional info:
It has been detected during PCI-DSS audit.

Comment 2 Dmitry Zhukovski 2016-03-15 13:49:21 UTC
More details:

  This issue is only present on RHEL6 hosts and only when you put trailing / at the end of URL.

  Raising severity and priority as it's security related bug.

  Still believing that it can be resolved very easily.

br,
dmitry

Comment 3 Kurt Seifried 2016-04-14 15:17:23 UTC
If you have configured Apache with:

<IfModule alias_module>
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
     Order allow,deny
     Allow from all
</Directory>
</IfModule>

then the icons dir is behaving as expected if you go to /icons/ and are shown icons. 

Disabling the default icons directory is possible, but this is not a security vulnerability, at best it's a security hardening (fingerprinting of the server) but unless you're completely locking apache down (server tokens, etc.) identifying it is trivial and not really worth it from even a security hardening perspective. So from PS's perspective you can remove the icons alias configuration, or not, either works for us =).

Comment 6 Bryan Kearney 2016-11-10 18:57:34 UTC
Closing this out as I do not expect us to address it in the near future. If you believe this is in error, please feel free to re-open with additional business justification.