Re: FirstClass 7.1 HTTP Server: Remote Directory Listing

[Graham Morley <GMorley_Public () firstclass com>]

In-Reply-To: <fc.00802e600021e6b400802e600021e6b4.21e717 () rbwm org>

> FirstClass 7.1 HTTP Server allow the listing of all files under the web
> root directory and user web directories.

While this statement is correct, it is not a bug, but rather a misunderstanding/misconfiguration of the FirstClass 
system by the reporter.  The base web folder and user personal web folders are all intended as public data 
repositories. Anything placed in them is universally accessible by default, unless they are placed in conferences 
(FirstClass' ACL protected containers) with appropriate permissions set.  This is all by design in order to make web 
publishing as easy as possible for users and new administrators.  Note that, in the out of the box configuration, no 
sensitive information is available in any of these folders.

As stated, private portions of a web site can easily be created by creating FirstClass conferences under the WWW folder 
(or a user's homepage folder) and setting their permissions (search included) to only allow authenticated users (or 
subsets thereof) to access the content in them.  Alternatively, if the search function is really not desired, it is 
extremely easy to disable by accessing the "Unauthenticated Users" privilege group (in the "Groups" folder on the 
administrator's desktop) and turning off the search privilege.  However, do not allow the disabling of unauthenticated 
search functionality to lull you into a false sense of security regarding your data.  If you have placed it in a public 
folder, it remains accessible to anyone who knows how to get at it.  The safest thing to do with sensitive information 
is to not put it in a public place.

> This vulnerability can disclose a huge amount of information about the
> servers setup which will aid attackers in exploiting further holes in the
> server.

This so-called "vulnerability" exposes *no* information about the site that is not already available, since any 
information turned up in this fashion is already in the public domain.  What this really hilights is the poor security 
policy put in place by the site administrator if they have recklessly placed sensitive information in a public place.

------------------------------------------------------------------------Graham Morley
Developer, Internet Services Team
Open Text Corporation Messaging Division
Please visit our web sites:
 - Open Text:  www.opentext.com
 - Messaging Division: www.firstclass.com