Details

      Description

      Steps to reproduce:

      1. Log in as Admin
      2. Create a new site (eg: Test)
      3. After you click Save, Documents and Media section will apear in the bottom of settings
      4. Check tooltip for Enable Directory Indexing
      If this is checked, the site administrator can browse the site's document library files and folders. For example, the site administrator for Test can browse documents at http://localhost:8080/documents/test1.

       

      Based on this message, you would understand that only site admins can browse the DL files and folders. However, when directory indexing is enabled, document libraries are browsable through the URL not only for site admins but for anyone according to the default Document Library permissions. This is a security risk as per OWASP: https://www.owasp.org/index.php/File_System#Insecure_Indexing

      It may be considered changing the tooltip message to reflect this risk.

        Attachments

          Activity

            People

            • Assignee:
              yvonne.han Yvonne Han
              Reporter:
              istvan.dezsi Istvan Dezsi
              Participants of an Issue:
              Recent user:
              Csaba Turcsan
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                23 weeks ago