-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
Description of problem:
A user can read the cgi-bin directory (even if it's empty) of a capsule with a browser going to https://<capsule>/cgi-bin/
How reproducible:
Always
Is this issue a regression from an earlier version:
Steps to Reproduce:
1. Setup a capsule
2. point a browser to https://<capsule>/cgi-bin/
Actual behavior:
Apache lists the content of the directory (by default empty, but it does list it)
Expected behavior:
Either deny directory listing or at least have a configuration option to disable Indexes
Business Impact / Additional info:
Security scanners complain about this behavior and customers have to fix it manually outside of satellite-installer (and re-apply the fix after every execution).
- relates to
-
SAT-18093 Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule
- Closed
-
SAT-28696 Apache Multiviews Arbitrary Directory Listing Issue on Red Hat Capsule
- Closed
- links to
-
RHBA-2024:140284 Important: Satellite 6.16.0 release