Bug 45394 - Information disclosure: directory listing are enabled
Information disclosure: directory listing are enabled
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Alexander Kläser
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-14 10:57 CEST by Florian Best
Modified: 2017-09-20 15:04 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-14 10:57:12 CEST
RISK CLASS
====================
Information Exposure
Misconfiguration
BUSINESS RISK
====================
Web servers can be configured to automatically list the contents of directories that do not have an index page present. This can aid an attacker by enabling them to quickly identify the resources at a given path, and proceed directly to analyzing and attacking those resources. It particularly increases the exposure of sensitive files within the directory that are not intended to be accessible to users, such as temporary files and crash dumps.
DESCRIPTION
====================
Directory listings themselves do not necessarily constitute a security vulnerability. Any sensitive resources within the web root should in any case be properly access-controlled, and should not be accessible by an unauthorized party who happens to know or guess the URL. Even when directory listings are disabled, an attacker may guess the location of sensitive files using automated tools.
REMEDIATION
=================
There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:
1)Configure your web server to prevent directory listings for all paths beneath the web root;
2) Place into each directory a default file (such as index.htm) that the web server will display instead of returning a directory listing.
PROOF OF CONCEPT
====================
Proof of Concept
34 instances of this issue were identified, at the following locations:
///saml/
//saml/
/saml/
/univention/js/
/univention/js/dgrid/
/univention/js/dgrid/css/
/univention/js/dgrid/css/images/
/univention/js/dgrid/css/skins/
/univention/js/dgrid/css/skins/images/
/univention/js/dgrid/doc/
/univention/js/dgrid/doc/components/
/univention/js/dgrid/doc/components/core-components/
/univention/js/dgrid/doc/components/extensions/
/univention/js/dgrid/doc/components/mixins/
/univention/js/dgrid/doc/components/utilities/
/univention/js/dgrid/doc/migrating/
/univention/js/dgrid/doc/usage/
/univention/js/dgrid/extensions/
/univention/js/dgrid/extensions/nls/
/univention/js/dgrid/extensions/nls/ar/
/univention/js/dgrid/extensions/nls/de/
/univention/js/dgrid/extensions/nls/es/
/univention/js/dgrid/extensions/nls/fr/
/univention/js/dgrid/extensions/nls/ja/
/univention/js/dgrid/extensions/nls/pt/
/univention/js/dgrid/extensions/nls/ro/
/univention/js/dgrid/extensions/nls/sk/
/univention/js/dgrid/extensions/nls/sl/
/univention/js/dgrid/extensions/nls/th/
/univention/js/dgrid/extensions/nls/zh-cn/
/univention/js/dgrid/extensions/nls/zh-hk/
/univention/js/dgrid/util/
/univention/js/dijit/
/univention/js/dojo/
REFERENCES
====================
https://cwe.mitre.org/data/definitions/200.html
http://html5sec.org/

Directory Listing ist erlaubt. Dies sollte aber per default verhindert werden.
Comment 1 Florian Best univentionstaff 2017-09-14 14:17:09 CEST
The directory listing for /var/www/saml and /var/www/univention/ has been disabled.

univention-saml (4.0.14-9):
ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2
4ab6d8182a8e26ef26198b9af2003c0f1d830e2d | Bug #45394: protect against information disclosure

univention-saml.yaml:
ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2
f7e7e28ca56392d549d8223761fddb8357af62c1 | YAML Bug #45394

univention-web.yaml:
ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2
80bfff8ad261c3d70938a7d7a4be1cfa4a44dc33 | YAML Bug #45394

univention-web (1.0.42-41):
ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2
1d0aa93d06976efb37757290d5b6cac5be15c74d | Bug #45394: protect /var/www/univention/ against information disclosure by disabling directory listings
Comment 2 Nico Stöckigt univentionstaff 2017-09-18 10:55:46 CEST
wouldn't it be better to disable directory listing at all?
Comment 3 Florian Best univentionstaff 2017-09-18 10:57:25 CEST
(In reply to Nico Stöckigt from comment #2)
> wouldn't it be better to disable directory listing at all?
This would be an API change, I don't know if there is behavior which relies on it.
Comment 4 Alexander Kläser univentionstaff 2017-09-18 12:50:37 CEST
Changes work as expected, YAML file OK.

→ VERIFIED