Possible Security Issue
We are getting ready to release our AD SelfService Plus site out to our users. In accordance with our company policy they were conducting a security audit of the site and found a few things they wanted to have answers to. Please review below the concerns of our security officer and let me know what we can do to resolve his concerns.
Hey John, did a little playing around with the xxx.xxx.xxx site last night and found a few things that may be of a concern. I was able to access the directories below (directory listings). In many situations, directory listings don't have any relevance to security. When I make a request for directories, I usually get a default resource, such as .index.html, or I get a status code of 403, not permitted. Sometimes I get a listing showing the contents of the directory, as is the case here. What concerns me is that the application may not be enforcing proper access controls, which may allow me to get to stuff I shouldn't see. For example, I'm getting to stuff at the web root of the server, which may contain some sensitive data and can have path traversal vulnerabilities. I'll keep digging looking for other problems and looking at some of the text files that are in these directories (hopefully, nothing sensitive in them). Is Apache actually being used, or did this web application just include it as part of the installation? I'll keep you posted as I test further.
xxx.xxx.xxx/accounts/Admin
xxx.xxx.xxx:80/logs/
xxx.xxx.xxx:443/logs/
xxx.xxx.xxx/logs/
xxx.xxx.xxx/logs?cznotdir
xxx.xxx.xxx/images/
xxx.xxx.xxx/accounts
So I guess our main questions are as follows:
1) Can we set the access to the directories to not allow browsing?
2) Do the log files contain any information that should not be view by just any body?
3) Are there places either in your configuration files or things we can do with Apache to harden the security of this site that gets presented to the users without diminishing the sites capabilities?
We may have more concerns, but currently this is what has been posted to me so far.
Thank you in Advance,
Sean
Hey John, did a little playing around with the xxx.xxx.xxx site last night and found a few things that may be of a concern. I was able to access the directories below (directory listings). In many situations, directory listings don't have any relevance to security. When I make a request for directories, I usually get a default resource, such as .index.html, or I get a status code of 403, not permitted. Sometimes I get a listing showing the contents of the directory, as is the case here. What concerns me is that the application may not be enforcing proper access controls, which may allow me to get to stuff I shouldn't see. For example, I'm getting to stuff at the web root of the server, which may contain some sensitive data and can have path traversal vulnerabilities. I'll keep digging looking for other problems and looking at some of the text files that are in these directories (hopefully, nothing sensitive in them). Is Apache actually being used, or did this web application just include it as part of the installation? I'll keep you posted as I test further.
xxx.xxx.xxx/accounts/Admin
xxx.xxx.xxx:80/logs/
xxx.xxx.xxx:443/logs/
xxx.xxx.xxx/logs/
xxx.xxx.xxx/logs?cznotdir
xxx.xxx.xxx/images/
xxx.xxx.xxx/accounts
So I guess our main questions are as follows:
1) Can we set the access to the directories to not allow browsing?
2) Do the log files contain any information that should not be view by just any body?
3) Are there places either in your configuration files or things we can do with Apache to harden the security of this site that gets presented to the users without diminishing the sites capabilities?
We may have more concerns, but currently this is what has been posted to me so far.
Thank you in Advance,
Sean