HTTP Server security flaw; clarification

Jeremy Angoff reports word of a new vulnerability regarding FirstClass Server version 7.1. Essentially, the exploit allows a non-privileged individual to have access to the root of the server and all files and directories contained therein. This includes emails, web files, conferences, calendars. He writes "I tested it out on a few systems and if the FC web server is turned on and port 80 is open, you have a big problem."

The security alert the Full Disclosure mailing list is as follows:

"FirstClass 7.1 HTTP Server allow the listing of all files under the web root directory and user web directories. This can be achieved by appending '/Search" to the URL. The browser will present a file searching form. If all check boxes (search options) are selected, and the filename text box is left blank, all files will be shown in the results and can be viewed through the browser.

"This vulnerability can disclose a huge amount of information about the servers setup which will aid attackers in exploiting further holes in the server.

Exploits:

• http://SERVER/Search
• http://SERVER/~Account Name/Search

A clarification on the SecurityFocus Web site states:

"While this statement is correct, it is not a bug, but rather a misunderstanding/misconfiguration of the FirstClass system by the reporter. The base web folder and user personal web folders are all intended as public data repositories. Anything placed in them is universally accessible by default, unless they are placed in conferences (FirstClass' ACL protected containers) with appropriate permissions set. This is all by design in order to make web publishing as easy as possible for users and new administrators. Note that, in the out of the box configuration, no sensitive information is available in any of these folders."

Feedback? Late-breakers@macfixit.com.

Resources