IBM Security Verify

Expand all | Collapse all

Security Scans Detecting Directory Browsing of Security Verify's /icons/ directory

Jump to Best Answer
  • 1.  Security Scans Detecting Directory Browsing of Security Verify's /icons/ directory

    Posted Tue September 28, 2021 03:31 PM
      |   view attached
    Please see the attached screen capture.

    Our security team has several different scans running against our public websites. A recent scan detected directory listing being enabled, even though we know it's not. Upon investigation today, we discovered going to the website (i.e. https://www.example.com/icons/) would show a directory listing of a bunch of system-type icons. We then tried going to the web server directly (bypassing the ISAM) and get a 404! So, we know the /icons/ directory is coming from the Security Verify appliance. We then tried going through SV again, but inserted the junction for this site. Again, a 404 page! So far, so good!

    Finally, we went in to the SV appliance. We went to Reverse Proxy > Manage > Management Root.  There, under 'junction-root' we found the offending /icons/ directory that is allowing directory listing. There appear to be a bunch of icons there like archive.gif, binhex.gif, folder.gif, etc.

    The question now, is how do we disable this directory browsing in the IBM SV appliance so the scan no longer gets this false-positive? Also, are there any other surprise directories like this that might pop up later in subsequent scans that we should also disable? Initially, I thought to delete the icons or the directory, but I'm not sure what dependencies there might be from within the SV appliance. The preferred approach would be to disable this directory listing entirely, so this isn't possible.

    Frankly, I'm a little surprised this is happening. Directory listing/browsing has been considered a bad practice for the better part of a decade. I wouldn't expect this behavior to be enabled by default.

    Any suggestions?

    ------------------------------
    David Gianetti
    ------------------------------


  • 2.  RE: Security Scans Detecting Directory Browsing of Security Verify's /icons/ directory
    Best Answer

    Posted Tue September 28, 2021 04:19 PM
    David,
     
    The ability to list directories on the local junction is controlled by the 'l' ACL bit.  The default ACL which is attached to the root WebSEAL object space does not have the 'l' bit set for standard users, and only has the 'l' bit set for administrative users (e.g. sec_master).  So, either you are running your scans as the sec_master user, or you have modified your policy to allow other users to list the contents of directories.  Either way you should just need to remove the 'l' bit from the appropriate ACL, for the appropriate user, to disable the ability to list directory contents.
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     
     
     





  • 3.  RE: Security Scans Detecting Directory Browsing of Security Verify's /icons/ directory

    Posted Wed September 29, 2021 08:44 AM
    Thanks, Scott! I can't believe I missed that. This did the trick!

    ------------------------------
    David Gianetti
    ------------------------------