Bug 2125370

Summary:	Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule 6.11
Product:	Red Hat Satellite	Reporter:	Satyajit Das <sadas>
Component:	Installer	Assignee:	satellite6-bugs <satellite6-bugs>
Status:	NEW ---	QA Contact:	Satellite QE Team <sat-qe-bz-list>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.11.0	CC:	aruzicka, ehelms, ekohlvan, kyoshida, pdwyer, pmendezh, rcavalca, saydas, wpinheir
Target Milestone:	Unspecified	Keywords:	Triaged
Target Release:	Unused	Flags:	kyoshida: needinfo? (ekohlvan)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Satyajit Das 2022-09-08 18:19:57 UTC

Description of problem:

Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule 6.11 

Version-Release number of selected component (if applicable):

Capsule 6.11

How reproducible:

100%


Steps to Reproduce:
-------------------
1.Try to access the Capsule URL through your browser or using the curl command:

 curl https://capsule.example.com/?M=A



Actual results:
--------------

Nessus was able to exploit the issue using the following request :

curl https://capsule.example.com/?M=A

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="cgi-bin/">cgi-bin/</a></td><td align="right">2022-03-22 11:36  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="html/">html/</a></td><td align="right">2022-03-22 11:36  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
</body></html>


Expected results:

This Nessus vulnerability (CVE-2001-0731 ) should be fixed.


Additional info:

Comment 1 Ewoud Kohl van Wijngaarden 2022-09-09 10:54:55 UTC

Technical details:

Today we use /var/www as a document root. This is incorrect and we should use the Pulp static root (as we do with the HTTPS vhost).

It was introduced in https://github.com/theforeman/puppet-foreman_proxy_content/commit/76e2a6852d1d2ca33935ccf8a6ab69992c32ec1d and https://github.com/theforeman/puppet-foreman_proxy_content/blob/15616eb59ba64e8d97440575e7c120f3c2e214d5/spec/acceptance/content_standalone_mirror_spec.rb#L35-L39 has a TODO to resolve it.

After that we should also look into disabling directory listing.

A workaround for this is creating an empty index file:

    touch /var/www/index.html

That doesn't solve any possible security issues, but it tricks naive vulnerability scanners.

Comment 3 Rafael Cavalcanti 2022-11-22 15:03:01 UTC

*** Bug 2144854 has been marked as a duplicate of this bug. ***

Comment 6 Ewoud Kohl van Wijngaarden 2022-11-22 20:59:49 UTC

(In reply to Ewoud Kohl van Wijngaarden from comment #1)
> A workaround for this is creating an empty index file:
> 
>     touch /var/www/index.html
> 
> That doesn't solve any possible security issues, but it tricks naive
> vulnerability scanners.

It was pointed out that the cgi-bin and html directories are also visible, so a more correct workaround is:

    touch /var/www/index.html /var/www/cgi-bin/index.html /var/www/html/index.html