Univention Bugzilla – Full Text Bug Listing |
Summary: | Information disclosure: directory listing are enabled | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC (Generic) | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Alexander Kläser <klaeser> |
Severity: | normal | ||
Priority: | P5 | CC: | stoeckigt |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=37877 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Florian Best
2017-09-14 10:57:12 CEST
The directory listing for /var/www/saml and /var/www/univention/ has been disabled. univention-saml (4.0.14-9): ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2 4ab6d8182a8e26ef26198b9af2003c0f1d830e2d | Bug #45394: protect against information disclosure univention-saml.yaml: ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2 f7e7e28ca56392d549d8223761fddb8357af62c1 | YAML Bug #45394 univention-web.yaml: ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2 80bfff8ad261c3d70938a7d7a4be1cfa4a44dc33 | YAML Bug #45394 univention-web (1.0.42-41): ba77eba55c028700735e7311ad6f86909e036813 | Merge branch 'fbest/45394-information-disclosure-apache' into 4.2-2 1d0aa93d06976efb37757290d5b6cac5be15c74d | Bug #45394: protect /var/www/univention/ against information disclosure by disabling directory listings wouldn't it be better to disable directory listing at all? (In reply to Nico Stöckigt from comment #2) > wouldn't it be better to disable directory listing at all? This would be an API change, I don't know if there is behavior which relies on it. Changes work as expected, YAML file OK. → VERIFIED |