Fuel for OpenStack

A web directory was found to be browsable (Cobbler)

Bug #1646744 reported by Adam Heczko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
Low
Anton Chevychalov
Fuel for OpenStack 8.0-mu-4

Bug Description

Detailed bug description:
"A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found:
 * via page spidering (following hyperlinks), or
 * as part of a parent path (checking each directory along the path and searching for ""Directory Listing"" or similar strings), or
 * by brute forcing a list of common directories.
Browsable directories could allow an attacker to perform a directory traversal attack by viewing ""hidden"" files in the web root, including CGI scripts, data files, or backup pages."

Steps to reproduce:
"HTTP request to https://10.226.0.9/icons/
HTTP response code was an expected 200
5: </head> 6: <body> 7: <h1>Index of /icons</h1> 8: <table> 9: ...CO]""></th><th><a href=""?C=N;O=D"">Name</a></th><th><a href=""?C=M;O=A..."

Expected results:
No directory and no items index is provided.
Apache HTTPD
Disable web directory browsing for all directories and subdirectories
In your httpd.conf file, disable the "Indexes" option for the appropriate <Directory> tag by removing it from the Options line.

Adam Heczko (aheczko-mirantis)
tags: added: customer-found
Changed in fuel:
assignee: nobody → MOS Maintenance (mos-maintenance)
importance: Medium → Low
Anton Chevychalov (achevychalov)
Changed in fuel:
assignee: MOS Maintenance (mos-maintenance) → Anton Chevychalov (achevychalov)
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to packages/centos7/cobbler (8.0)

Fix proposed to branch: 8.0
Change author: Anton Chevychalov <email address hidden>
Review: https://review.fuel-infra.org/32993

Changed in fuel:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/455227

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to packages/centos7/cobbler (8.0)

Reviewed: https://review.fuel-infra.org/32993
Submitter: Pkgs Jenkins <email address hidden>
Branch: 8.0

Commit: 326837d626251e8d0947e6b2cbbdad4ff64adfe3
Author: Anton Chevychalov <email address hidden>
Date: Tue Apr 11 10:21:00 2017

Remove useless Indexes option

There are potential security issue with Indexes on directories
without real needs.

Change-Id: Iaed2d80a22a47e036471e7d3685cfc71b42893ba
Closes-Bug: #1646744

Changed in fuel:
status: In Progress → Fix Committed
Anton Chevychalov (achevychalov)
Changed in fuel:
status: Fix Committed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/8.0)

Reviewed: https://review.openstack.org/455227
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=f043736afa1df126e013be90d3109ac2d023c1b3
Submitter: Jenkins
Branch: stable/8.0

commit f043736afa1df126e013be90d3109ac2d023c1b3
Author: Anton Chevychalov <email address hidden>
Date: Mon Apr 10 13:32:50 2017 +0300

    Remove useless Indexes and /icons/ directives

    There are a lot of useless or non existen dirs with Indexes on it.
    That patch removes that for cobbler.

    Change-Id: I9f93522a757cc07559d188b9100c8d6a1488bb1d
    Closes-Bug: #1646744

Anton Chevychalov (achevychalov)
Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on 8.0 mu4 updates.
Before updates it was possible to browse https://10.109.0.2/icons/ directory
HTTP response code was 200.
After updates not possible: 404 Not Found response received.

Changed in fuel:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.