Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: 6.16.0
Affects Version/s: None
Component/s: Installation
Labels:
- team-triaged
- triaged

Story Points:
0
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Fixed in Build:
foreman-installer-3.12.0-0.2.rc1
PM Score:
0
Satellite Team:

Platform
BZ Keywords:
- Unset
Intelligence Requested:
Market:

Severity:
Moderate

Target Version:

6.16.0

Regression:
None

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

PX Priority Data:
PX Impact Score:

Description of problem:

A user can read the cgi-bin directory (even if it's empty) of a capsule with a browser going to https://<capsule>/cgi-bin/

How reproducible:

Always

Is this issue a regression from an earlier version:

Steps to Reproduce:

1. Setup a capsule

2. point a browser to https://<capsule>/cgi-bin/

Actual behavior:
Apache lists the content of the directory (by default empty, but it does list it)

Expected behavior:
Either deny directory listing or at least have a configuration option to disable Indexes

Business Impact / Additional info:

Security scanners complain about this behavior and customers have to fix it manually outside of satellite-installer (and re-apply the fix after every execution).

relates to

SAT-28696 Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule

Backlog

SAT-18093 Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule

Release Pending

links to

https://projects.theforeman.org/issues/37620

RHBA-2024:140284 Important: Satellite 6.16.0 release

Assignee:: Ewoud Kohl van Wijngaarden

Reporter:: Joniel Pasqualetto

QA Contact:: Radek Mynar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/07/29 3:50 PM

Updated:: 2024/10/24 4:48 PM

Resolved:: 2024/08/29 11:15 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates