Bug 2125370 - Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule 6.11 [NEEDINFO]
Summary: Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule 6.11
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Satellite QE Team
URL:
Whiteboard:
: 2144854 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-08 18:19 UTC by Satyajit Das
Modified: 2023-08-04 00:26 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
kyoshida: needinfo? (ekohlvan)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-18093 0 None None None 2023-06-03 00:30:45 UTC
Red Hat Knowledge Base (Solution) 7007579 0 None None None 2023-04-13 11:10:40 UTC

Description Satyajit Das 2022-09-08 18:19:57 UTC 
Description of problem:

Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule 6.11 

Version-Release number of selected component (if applicable):

Capsule 6.11

How reproducible:

100%


Steps to Reproduce:
-------------------
1.Try to access the Capsule URL through your browser or using the curl command:

 curl https://capsule.example.com/?M=A



Actual results:
--------------

Nessus was able to exploit the issue using the following request :

curl https://capsule.example.com/?M=A

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="cgi-bin/">cgi-bin/</a></td><td align="right">2022-03-22 11:36  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="html/">html/</a></td><td align="right">2022-03-22 11:36  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
</body></html>


Expected results:

This Nessus vulnerability (CVE-2001-0731 ) should be fixed.


Additional info:
Comment 1 Ewoud Kohl van Wijngaarden 2022-09-09 10:54:55 UTC 
Technical details:

Today we use /var/www as a document root. This is incorrect and we should use the Pulp static root (as we do with the HTTPS vhost).

It was introduced in https://github.com/theforeman/puppet-foreman_proxy_content/commit/76e2a6852d1d2ca33935ccf8a6ab69992c32ec1d and https://github.com/theforeman/puppet-foreman_proxy_content/blob/15616eb59ba64e8d97440575e7c120f3c2e214d5/spec/acceptance/content_standalone_mirror_spec.rb#L35-L39 has a TODO to resolve it.

After that we should also look into disabling directory listing.

A workaround for this is creating an empty index file:

    touch /var/www/index.html

That doesn't solve any possible security issues, but it tricks naive vulnerability scanners.
Comment 3 Rafael Cavalcanti 2022-11-22 15:03:01 UTC 
*** Bug 2144854 has been marked as a duplicate of this bug. ***
Comment 6 Ewoud Kohl van Wijngaarden 2022-11-22 20:59:49 UTC 
(In reply to Ewoud Kohl van Wijngaarden from comment #1)
> A workaround for this is creating an empty index file:
> 
>     touch /var/www/index.html
> 
> That doesn't solve any possible security issues, but it tricks naive
> vulnerability scanners.

It was pointed out that the cgi-bin and html directories are also visible, so a more correct workaround is:

    touch /var/www/index.html /var/www/cgi-bin/index.html /var/www/html/index.html
Note You need to log in before you can comment on or make changes to this bug.