Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-88064

Tooltip message for Enable Directory Indexing is not correct

    XMLWordPrintable

Details

    Description

      Steps to reproduce:

      1. Log in as Admin
      2. Create a new site (eg: Test)
      3. After you click Save, Documents and Media section will apear in the bottom of settings
      4. Check tooltip for Enable Directory Indexing
      If this is checked, the site administrator can browse the site's document library files and folders. For example, the site administrator for Test can browse documents at http://localhost:8080/documents/test1.

       

      Based on this message, you would understand that only site admins can browse the DL files and folders. However, when directory indexing is enabled, document libraries are browsable through the URL not only for site admins but for anyone according to the default Document Library permissions. This is a security risk as per OWASP: https://www.owasp.org/index.php/File_System#Insecure_Indexing

      It may be considered changing the tooltip message to reflect this risk.

      Attachments

        Activity

          People

            yvonne.han Yvonne Han
            istvan.dezsi Istvan Dezsi
            Kiyoshi Lee Kiyoshi Lee
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              4 years, 26 weeks, 3 days ago

              Packages

                Version Package
                7.0.0 DXP FP70
                7.0.X
                7.1.10 DXP FP5
                7.1.10.1 SP1
                7.1.2 CE GA3
                7.1.X
                Master