-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
Description of problem:
A user can read the cgi-bin directory (even if it's empty) of a capsule with a browser going to https://<capsule>/cgi-bin/
How reproducible:
Always
Is this issue a regression from an earlier version:
Steps to Reproduce:
1. Setup a capsule
2. point a browser to https://<capsule>/cgi-bin/
Actual behavior:
Apache lists the content of the directory (by default empty, but it does list it)
Expected behavior:
Either deny directory listing or at least have a configuration option to disable Indexes
Business Impact / Additional info:
Security scanners complain about this behavior and customers have to fix it manually outside of satellite-installer (and re-apply the fix after every execution).
- relates to
-
-
- Closed
-
-
-
- Closed
-
- links to
-
RHBA-2024:140284
Important: Satellite 6.16.0 release
[SAT-26837] On capsules, a user can read the directory cgi-bin of the server
Only pub directory provides directory listing
curl -I https://<capsule_fqdn>/ => 403
curl -I https://<capsule_fqdn>/cgi-bin => 404
curl -I https://<capsule_fqdn>/foo => 404
curl -I https://<capsule_fqdn>/pub => 200
Tested with HTTP/1.1 and HTTP/2
VERIFIED with Capsule 6.16.0 SNAP1 @RHEL8.10 & RHEL9.4
Ewoud Kohl van Wijngaarden
added a comment - I opened https://projects.theforeman.org/issues/37620 upstream to change the docroot from /var/www to something else (like /var/www/html).
Ewoud Kohl van Wijngaarden
added a comment - I opened https://projects.theforeman.org/issues/37620 upstream to change the docroot from /var/www to something else (like /var/www/html). 
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Critical: Satellite 6.16.0 release), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:8906