Re: FirstClass 7.1 HTTP Server: Remote Directory Listing

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: FirstClass 7.1 HTTP Server: Remote Directory Listing
From: Graham Morley <GMorley_Public@xxxxxxxxxxxxxx>
Date: 30 Oct 2003 01:58:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <fc.00802e600021e6b400802e600021e6b4.21e717@xxxxxxxx>

>FirstClass 7.1 HTTP Server allow the listing of all files under the web
>root directory and user web directories.

While this statement is correct, it is not a bug, but rather a 
misunderstanding/misconfiguration of the FirstClass system by the reporter.  
The base web folder and user personal web folders are all intended as public 
data repositories. Anything placed in them is universally accessible by 
default, unless they are placed in conferences (FirstClass' ACL protected 
containers) with appropriate permissions set.  This is all by design in order 
to make web publishing as easy as possible for users and new administrators.  
Note that, in the out of the box configuration, no sensitive information is 
available in any of these folders.

As stated, private portions of a web site can easily be created by creating 
FirstClass conferences under the WWW folder (or a user's homepage folder) and 
setting their permissions (search included) to only allow authenticated users 
(or subsets thereof) to access the content in them.  Alternatively, if the 
search function is really not desired, it is extremely easy to disable by 
accessing the "Unauthenticated Users" privilege group (in the "Groups" folder 
on the administrator's desktop) and turning off the search privilege.  However, 
do not allow the disabling of unauthenticated search functionality to lull you 
into a false sense of security regarding your data.  If you have placed it in a 
public folder, it remains accessible to anyone who knows how to get at it.  The 
safest thing to do with sensitive information is to not put it in a public 
place.

>This vulnerability can disclose a huge amount of information about the
>servers setup which will aid attackers in exploiting further holes in the
>server.

This so-called "vulnerability" exposes *no* information about the site that is 
not already available, since any information turned up in this fashion is 
already in the public domain.  What this really hilights is the poor security 
policy put in place by the site administrator if they have recklessly placed 
sensitive information in a public place.

------------------------------------------------------------------------Graham 
Morley
Developer, Internet Services Team
Open Text Corporation Messaging Division
Please visit our web sites:
 - Open Text:  www.opentext.com
 - Messaging Division: www.firstclass.com

Prev by Date: Re: Mac OS X vulnerabilities ['Virus checked"]
Next by Date: [OpenPKG-SA-2003.047] OpenPKG Security Advisory (postgresql)
Previous by thread: FirstClass 7.1 HTTP Server: Remote Directory Listing
Next by thread: Wildcard exportfs issue in NFS on IRIX
Index(es):
- Date
- Thread