Vulnerability Title:Browsable web directory
Service Port:4443
Service Name:HTTPS
Service Protocol:tcp
Vulnerability Description: A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found:
* via page spidering (following hyperlinks), or
* as part of a parent path (checking each directory along the path and searching for ""Directory Listing"" or similar strings), or
* by brute forcing a list of common directories.
Browsable directories could allow an attacker to perform a directory traversal attack by viewing ""hidden"" files in the web root, including CGI scripts, data files, or backup pages."
Vulnerability Proof: https://<*.*,*.*>:4443/OracleHTTPServer12c_files/
Solution:
Remove the "Indexs" option from Run-time & Staging httpd.conf
--check @ line # 241
From: Options Indexes FollowSymLinks
To: Options FollowSymLinks
1.Run-time directory:
$DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/httpd.conf
2.Staging directory:
$DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf
You should add the following value in [default] section of the formsweb.cfg
3.$DOMAIN_HOME/config/fmwconfig/servers/WLS_FORMS/applications/formsapp_12.2.1/config/formsweb.cfg
#
#X-Frame-Options to Resolve Click-Jacking
#
Set_X_Frame_Options=true
If you are not planing for https then comment out these lines in both Run-time and Staging httpd.conf files:
# Include the SSL definitions and Virtual Host container
include "ssl.conf"------------------------------->Comment out this.
....
IncludeOptional "moduleconf/*.conf" ------------------------------->Comment out this.
Restart the services and then test.
No comments:
Post a Comment