Bug 1315763 - Browsable web directory https://<server>:5000/icons/
Browsable web directory https://<server>:5000/icons/
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security (Show other bugs)
All Linux
high Severity low (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
Katello QA List
: PrioBumpPM
Depends On:
  Show dependency treegraph
Reported: 2016-03-08 09:41 EST by Dmitry Zhukovski
Modified: 2017-04-25 12:35 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-10 13:57:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dmitry Zhukovski 2016-03-08 09:41:27 EST
Description of problem:
Browsable web directory https://<server>:5000/icons/

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Put https://<server>:5000/icons/ server can be either Sat server or capsule

Actual results:
Getting list of icons

Expected results:
access denied

Additional info:
It has been detected during PCI-DSS audit.
Comment 2 Dmitry Zhukovski 2016-03-15 09:49:21 EDT
More details:

  This issue is only present on RHEL6 hosts and only when you put trailing / at the end of URL.

  Raising severity and priority as it's security related bug.

  Still believing that it can be resolved very easily.

Comment 3 Kurt Seifried 2016-04-14 11:17:23 EDT
If you have configured Apache with:

<IfModule alias_module>
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
     Order allow,deny
     Allow from all

then the icons dir is behaving as expected if you go to /icons/ and are shown icons. 

Disabling the default icons directory is possible, but this is not a security vulnerability, at best it's a security hardening (fingerprinting of the server) but unless you're completely locking apache down (server tokens, etc.) identifying it is trivial and not really worth it from even a security hardening perspective. So from PS's perspective you can remove the icons alias configuration, or not, either works for us =).
Comment 6 Bryan Kearney 2016-11-10 13:57:34 EST
Closing this out as I do not expect us to address it in the near future. If you believe this is in error, please feel free to re-open with additional business justification.

Note You need to log in before you can comment on or make changes to this bug.