Hidden Directory Detected - Vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yasanthau
Advanced member
Advanced member
Posts: 57
Joined: Sat Sep 13, 2014 12:52 am

Hidden Directory Detected - Vulnerability

Postby yasanthau » Thu Jan 24, 2019 12:52 pm

Hi,

Upon a vulnerability scan, it is requested to fix the above issue on Zimbra Server (8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition). Please refer the details below.

The hidden directory enumeration issue exists when the server responds with a '403 Forbidden' error while trying to access a valid application directory. Hidden directories were detected by viewing the '403 Forbidden' response from the server. An attacker will try to access multiple directories within the application by guessing their names or launching a brute force attack. The server will typically respond with a '404 Not Found' error if a directory does not exist, however if a valid directory exists, the server responds with '403 Forbidden' error. The attacker can use this difference in the response to enumerate the application directories and file structure. The presence of hidden directories allows an attacker to gather information regarding the file and directory structure of the application by viewing the '403 Forbidden' server response. An attacker can list the server directories by studying the different error responses that are thrown by the application server. This information can result in mapping of the subdirectories, files, and subsequently the entire application directory structure. It may also help the attacker identify the technology stack used in the application by studying the presence or absence of technologyspecific server directories.
Instances:
1. https://mail.domain.lk/public/
2. https://mail.domain.lk/templates/
3. https://mail.domain.lk/yui/
4. https://mail.domain.lk/skins/_base/
5. https://mail.domain.lk/img/
6. https://mail.domain.lk/js/
7. https://mail.domain.lk/help/en_US/
8. https://mail.domain.lk/help/en_US/advanced/
Remediation:
The application server should return a '404 Not Found' error response instead of a '403 Forbidden' error response and remove any directories which are not required. The application should respond with a '404 Not Found' error instead of a '403 Forbidden' error when a request is made for existing or a non-existing directory. This will help in obfuscating the valid directories which exist on the server. Additionally, unused files and directories should be removed from the application server.

Any solution to this issue is highly appreciated.

Thanks,

Yasantha


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 7 guests