Upon a vulnerability scan, it is requested to fix the above issue on Zimbra Server (8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition). Please refer the details below.
The hidden directory enumeration issue exists when the server responds with a '403 Forbidden' error while trying to access a valid application directory. Hidden directories were detected by viewing the '403 Forbidden' response from the server. An attacker will try to access multiple directories within the application by guessing their names or launching a brute force attack. The server will typically respond with a '404 Not Found' error if a directory does not exist, however if a valid directory exists, the server responds with '403 Forbidden' error. The attacker can use this difference in the response to enumerate the application directories and file structure. The presence of hidden directories allows an attacker to gather information regarding the file and directory structure of the application by viewing the '403 Forbidden' server response. An attacker can list the server directories by studying the different error responses that are thrown by the application server. This information can result in mapping of the subdirectories, files, and subsequently the entire application directory structure. It may also help the attacker identify the technology stack used in the application by studying the presence or absence of technologyspecific server directories.
The application server should return a '404 Not Found' error response instead of a '403 Forbidden' error response and remove any directories which are not required. The application should respond with a '404 Not Found' error instead of a '403 Forbidden' error when a request is made for existing or a non-existing directory. This will help in obfuscating the valid directories which exist on the server. Additionally, unused files and directories should be removed from the application server.
Any solution to this issue is highly appreciated.
- Zimbra Collaboration 8.6 Patch 9 now available (includes fix for CVE-2017-8802). Read the announcement.
- Zimbra Collaboration 8.8.7 + Zimbra Connector for Outlook 8.8.7 are available.. Read the announcement.
- Are you a Zimbra Developer? You can find some interesting stuff in our Official GitHub: https://github.com/Zimbra and check the Community Projects too: https://github.com/Zimbra-Community/
Discuss your pilot or production implementation with other Zimbra admins or our engineers.
1 post • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 5 guests