Hello,
we get scanned by our security team.
The following was found on our Nagios XI 5.8 Server:
Severity: Low
Vulnerability ID: q086445
Details:
Listable Directories
/icons/
Port: 443/tcp
Generic Vulnerability Description:
The Web server has some listable directories. Very sensitive information can be obtained from directory listings.
A remote user may exploit this vulnerability to obtain very sensitive information on the host. The information obtained may assist in further attacks against the host.
How can we fix this?
Thank you
Nagios: Listable directories
Re: Nagios: Listable directories
Hi Nuggel1234,
The directory browsing capability is a function of the webserver installed on your system. In most cases, if you are using one of our images or the default install, the webserver is going to be Apache. While the configuration on your system may vary, often the /icons exposure is due to an entry in the autoindex.conf file in the configuration directory and the solution is as simple as commenting the lines out.
For example, CentOS 7.9 with a default install edit the following file:
And comment out the following lines with # signs.
So it looks like this:
Then restart the server:
And that should be all there is to it -- good luck.
Thanks and Best Regards,
Keith
The directory browsing capability is a function of the webserver installed on your system. In most cases, if you are using one of our images or the default install, the webserver is going to be Apache. While the configuration on your system may vary, often the /icons exposure is due to an entry in the autoindex.conf file in the configuration directory and the solution is as simple as commenting the lines out.
For example, CentOS 7.9 with a default install edit the following file:
Code: Select all
/etc/httpd/conf.d/autoindex.conf
Code: Select all
<Directory "/usr/share/httpd/icons">
Options Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted
</Directory>
Code: Select all
#<Directory "/usr/share/httpd/icons">
# Options Indexes MultiViews FollowSymlinks
# AllowOverride None
# Require all granted
#</Directory>
Code: Select all
systemctl restart httpd.service
Thanks and Best Regards,
Keith