Red Hat Bugzilla – Bug 1315763
Browsable web directory https://<server>:5000/icons/
Last modified: 2017-04-25 12:35:46 EDT
Description of problem: Browsable web directory https://<server>:5000/icons/ Version-Release number of selected component (if applicable): sat6.1.7 How reproducible: Everytime Steps to Reproduce: 1. Put https://<server>:5000/icons/ server can be either Sat server or capsule 2. 3. Actual results: Getting list of icons Expected results: access denied Additional info: It has been detected during PCI-DSS audit.
More details: This issue is only present on RHEL6 hosts and only when you put trailing / at the end of URL. Raising severity and priority as it's security related bug. Still believing that it can be resolved very easily. br, dmitry
If you have configured Apache with: <IfModule alias_module> Alias /icons/ "/var/www/icons/" <Directory "/var/www/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> </IfModule> then the icons dir is behaving as expected if you go to /icons/ and are shown icons. Disabling the default icons directory is possible, but this is not a security vulnerability, at best it's a security hardening (fingerprinting of the server) but unless you're completely locking apache down (server tokens, etc.) identifying it is trivial and not really worth it from even a security hardening perspective. So from PS's perspective you can remove the icons alias configuration, or not, either works for us =).
Closing this out as I do not expect us to address it in the near future. If you believe this is in error, please feel free to re-open with additional business justification.