Details

    • Branch Version/s:
      6.0.x
    • Backported to Branch:
      Committed
    • Similar Issues:
      Show 2 results 

      Description

      Looks like we allow anyone to browse through all documents and images that have guest VIEW permission and there doesn't seem to be any way to disable this directory indexing.

      The paths I found vulnerable are /documents/ and /image/.

      See https://www.owasp.org/index.php/File_System#Insecure_Indexing for more information of security implications.

        Issue Links

          Activity

          Hide
          Vicki Tsang added a comment -

          This is being bulk edited to prepare for new workflow

          Show
          Vicki Tsang added a comment - This is being bulk edited to prepare for new workflow
          Hide
          Michael Saechang added a comment -

          Committed on:
          Portal 6.2.x GIT ID: 514720c19a5e44952eefcf8455bfcae85b30f6b8.

          Show
          Michael Saechang added a comment - Committed on: Portal 6.2.x GIT ID: 514720c19a5e44952eefcf8455bfcae85b30f6b8.
          Hide
          Paul Piao (Inactive) added a comment - - edited

          PASSED Manual Testing using the following steps:

          1. Open http://localhost:8080/documents/
          2. You should see document library directory listing.

          After fix:

          1. Open http://localhost:8080/documents/
          2. You get HTTP Status 403 access forbidden.

          After you set web.server.servlet.directory.indexing.enabled=true in portal-ext.properties and restart portal:

          1. Open http://localhost:8080/documents/
          2. You should see document library directory listing.

          Reproduced on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.0 CE RC1 .

          You should see document library directory listing .

          Fixed on:
          Tomcat 6.0 + MySQL 5. Portal 6.0.xGIT ID: c549b70ebd5b506de593b413bf8a8cdeb4aa2a6a.
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: d83490f875f72278c6aa1e4cf017095e0c54e1cf.
          Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: c2dde1c4a6fd4640dc541648e004ca335fbd5ae2.

          You get HTTP Status 403 access forbidden, and give ext.properties. You should see document library directory listing.

          Show
          Paul Piao (Inactive) added a comment - - edited PASSED Manual Testing using the following steps: Open http://localhost:8080/documents/ You should see document library directory listing. After fix: Open http://localhost:8080/documents/ You get HTTP Status 403 access forbidden. After you set web.server.servlet.directory.indexing.enabled=true in portal-ext.properties and restart portal: Open http://localhost:8080/documents/ You should see document library directory listing. Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.1.0 CE RC1 . You should see document library directory listing . Fixed on: Tomcat 6.0 + MySQL 5. Portal 6.0.xGIT ID: c549b70ebd5b506de593b413bf8a8cdeb4aa2a6a. Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: d83490f875f72278c6aa1e4cf017095e0c54e1cf. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: c2dde1c4a6fd4640dc541648e004ca335fbd5ae2. You get HTTP Status 403 access forbidden, and give ext.properties. You should see document library directory listing.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 37 weeks, 1 day ago

                Development

                  Structure Helper Panel