[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: FirstClass 7.1 HTTP Server: Remote Directory Listing
From:       Graham Morley <GMorley_Public () firstclass ! com>
Date:       2003-10-30 1:58:49
[Download RAW message or body]

In-Reply-To: <fc.00802e600021e6b400802e600021e6b4.21e717@rbwm.org>

> FirstClass 7.1 HTTP Server allow the listing of all files under the web
> root directory and user web directories.

While this statement is correct, it is not a bug, but rather a \
misunderstanding/misconfiguration of the FirstClass system by the reporter.  The base \
web folder and user personal web folders are all intended as public data \
repositories. Anything placed in them is universally accessible by default, unless \
they are placed in conferences (FirstClass' ACL protected containers) with \
appropriate permissions set.  This is all by design in order to make web publishing \
as easy as possible for users and new administrators.  Note that, in the out of the \
box configuration, no sensitive information is available in any of these folders.

As stated, private portions of a web site can easily be created by creating \
FirstClass conferences under the WWW folder (or a user's homepage folder) and setting \
their permissions (search included) to only allow authenticated users (or subsets \
thereof) to access the content in them.  Alternatively, if the search function is \
really not desired, it is extremely easy to disable by accessing the "Unauthenticated \
Users" privilege group (in the "Groups" folder on the administrator's desktop) and \
turning off the search privilege.  However, do not allow the disabling of \
unauthenticated search functionality to lull you into a false sense of security \
regarding your data.  If you have placed it in a public folder, it remains accessible \
to anyone who knows how to get at it.  The safest thing to do with sensitive \
information is to not put it in a public place.

> This vulnerability can disclose a huge amount of information about the
> servers setup which will aid attackers in exploiting further holes in the
> server.

This so-called "vulnerability" exposes *no* information about the site that is not \
already available, since any information turned up in this fashion is already in the \
public domain.  What this really hilights is the poor security policy put in place by \
the site administrator if they have recklessly placed sensitive information in a \
public place.

------------------------------------------------------------------------Graham Morley
Developer, Internet Services Team
Open Text Corporation Messaging Division
Please visit our web sites:
 - Open Text:  www.opentext.com
 - Messaging Division: www.firstclass.com


[prev in list] [next in list] [prev in thread] [next in thread]