-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.10, rhel-9.6, rhel-10.0
-
None
-
None
-
Low
-
rhel-stacks-web-servers
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
Security scanners report that /icons is indexed/listable.
What is the impact of this issue to you?
Qualys and other scanners report this as a potential vulnerability.
Please provide the package NVR for which the bug is seen:
httpd (all versions)
How reproducible is this bug?:
Always
Steps to reproduce
- Install httpd
- curl 127.0.0.1/icons/
Expected results
403 Forbidden
Actual results
Lists contents of directory
Additional Information
This is the default configuration from upstream Apache httpd, which has the following in httpd/docs/conf/extra/httpd-autoindex.conf.in (which eventually generates the autoindex.conf we provide):
<Directory "@exp_iconsdir@">
Options Indexes MultiViews
AllowOverride None
Require all granted
</Directory>
Changing this to the following (removing Indexes option) would fix the issue:
<Directory "@exp_iconsdir@">
Options MultiViews
AllowOverride None
Require all granted
</Directory>
Note that we already modify this file to add "FollowSymlinks" by default, which upstream does not.