[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: FirstClass 7.1 HTTP Server: Remote Directory Listing
From: Graham Morley <GMorley_Public () firstclass ! com>
Date: 2003-10-30 1:58:49
[Download RAW message or body]
In-Reply-To: <fc.00802e600021e6b400802e600021e6b4.21e717@rbwm.org>
> FirstClass 7.1 HTTP Server allow the listing of all files under the web
> root directory and user web directories.
While this statement is correct, it is not a bug, but rather a \
misunderstanding/misconfiguration of the FirstClass system by the reporter. The base \
web folder and user personal web folders are all intended as public data \
repositories. Anything placed in them is universally accessible by default, unless \
they are placed in conferences (FirstClass' ACL protected containers) with \
appropriate permissions set. This is all by design in order to make web publishing \
as easy as possible for users and new administrators. Note that, in the out of the \
box configuration, no sensitive information is available in any of these folders.
As stated, private portions of a web site can easily be created by creating \
FirstClass conferences under the WWW folder (or a user's homepage folder) and setting \
their permissions (search included) to only allow authenticated users (or subsets \
thereof) to access the content in them. Alternatively, if the search function is \
really not desired, it is extremely easy to disable by accessing the "Unauthenticated \
Users" privilege group (in the "Groups" folder on the administrator's desktop) and \
turning off the search privilege. However, do not allow the disabling of \
unauthenticated search functionality to lull you into a false sense of security \
regarding your data. If you have placed it in a public folder, it remains accessible \
to anyone who knows how to get at it. The safest thing to do with sensitive \
information is to not put it in a public place.
> This vulnerability can disclose a huge amount of information about the
> servers setup which will aid attackers in exploiting further holes in the
> server.
This so-called "vulnerability" exposes *no* information about the site that is not \
already available, since any information turned up in this fashion is already in the \
public domain. What this really hilights is the poor security policy put in place by \
the site administrator if they have recklessly placed sensitive information in a \
public place.
------------------------------------------------------------------------Graham Morley
Developer, Internet Services Team
Open Text Corporation Messaging Division
Please visit our web sites:
- Open Text: www.opentext.com
- Messaging Division: www.firstclass.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic