[BlueOnyx:11123] Re: /icons/: Directory indexing found

Michael Stauber mstauber at blueonyx.it
Wed Aug 8 12:32:23 PET 2012


Hi Richard,

> TCP     443     http
> Title: Web server vulnerability Impact: /icons/: Directory indexing 
> found. Risk Factor: High/ CVSS2 Base Score: 10.0 CVE: CVE-1999-0569 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0569
> 
> TCP     80     http
> Title: Web server vulnerability Impact: /icons/: Directory indexing 
> found. Risk Factor: High/ CVSS2 Base Score: 10.0 CVE: CVE-1999-0569 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0569
> 
> Found this in the httpd.conf
> Alias /icons/ "/var/www/icons/"
> 
> <Directory "/var/www/icons">
>      Options Indexes MultiViews
>      AllowOverride None
>      Order allow,deny
>      Allow from all
> </Directory>

I just tried http://server.name/icons/ on a BlueOnyx and I get a "The
requested URL was not found on this server." I then tried
http://www.vsite.com/icons/ and get the same.

So this doesn't apply to BlueOnyx.

I then checked Aventurin{e} 6105R and 6106R and there the /icons/
directory is browseable. I wouldn't exactly agree that a directory
traversal of the /icons/ directory is a vulnerability (as it is
non-exploitable). But I'll publish a fix to YUM that'll place an
index.html into these directories.

-- 
With best regards

Michael Stauber



More information about the Blueonyx mailing list