[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FirstClass 7.1 HTTP Server: Remote Directory Listing
- To: bugtraq@securityfocus.com
- Subject: Re: FirstClass 7.1 HTTP Server: Remote Directory Listing
- From: Graham Morley <GMorley_Public@firstclass.com>
- Date: 30 Oct 2003 01:58:49 -0000
In-Reply-To: <fc.00802e600021e6b400802e600021e6b4.21e717@rbwm.org>
>FirstClass 7.1 HTTP Server allow the listing of all files under the web
>root directory and user web directories.
While this statement is correct, it is not a bug, but rather a
misunderstanding/misconfiguration of the FirstClass system by the reporter.
The base web folder and user personal web folders are all intended as public
data repositories. Anything placed in them is universally accessible by
default, unless they are placed in conferences (FirstClass' ACL protected
containers) with appropriate permissions set. This is all by design in order
to make web publishing as easy as possible for users and new administrators.
Note that, in the out of the box configuration, no sensitive information is
available in any of these folders.
As stated, private portions of a web site can easily be created by creating
FirstClass conferences under the WWW folder (or a user's homepage folder) and
setting their permissions (search included) to only allow authenticated users
(or subsets thereof) to access the content in them. Alternatively, if the
search function is really not desired, it is extremely easy to disable by
accessing the "Unauthenticated Users" privilege group (in the "Groups" folder
on the administrator's desktop) and turning off the search privilege. However,
do not allow the disabling of unauthenticated search functionality to lull you
into a false sense of security regarding your data. If you have placed it in a
public folder, it remains accessible to anyone who knows how to get at it. The
safest thing to do with sensitive information is to not put it in a public
place.
>This vulnerability can disclose a huge amount of information about the
>servers setup which will aid attackers in exploiting further holes in the
>server.
This so-called "vulnerability" exposes *no* information about the site that is
not already available, since any information turned up in this fashion is
already in the public domain. What this really hilights is the poor security
policy put in place by the site administrator if they have recklessly placed
sensitive information in a public place.
------------------------------------------------------------------------Graham
Morley
Developer, Internet Services Team
Open Text Corporation Messaging Division
Please visit our web sites:
- Open Text: www.opentext.com
- Messaging Division: www.firstclass.com