| VID |
22163 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache server used with MacOS X client discloses the indexing data from the content of a hidden file.
The MacOS X with the Finder-By-Content feature creates indexing data from the contents of files in each directory. It then stores the indexing data for each directory in a hidden file ".FBCIndx" within each directory, is world-readable file. A remote attacker can read the indexed contents of files by sending to the Apache server as the following :
http://apache_server/target_directory/.FBCIndex
Using this vulnerability, a remote attacker can gain the sensitive information such as the potential passwords used by attacker in directory, system configuration, installed applications, etc. , then perform the further attack against the target server.
* Platforms Affected :
Apache 1.3.14 for used with the following:
- Apple MacOS X 10.0
- Apple MacOS X 10.0.1
- Apple MacOS X 10.0.2
- Apple MacOS X 10.0.3
- Apple MacOS X 10.0.4 |
| Recommendation |
No solution available as of February 2003.
As the workaround, use a <FilesMatch> directive in httpd.conf to block access to any hidden file:
<FilesMatch "^\.">
Order allow, deny
Deny from all
</FilesMatch> |
| Related URL |
CVE-2001-1446 (CVE) |
| Related URL |
3316,3324,3325 (SecurityFocus) |
| Related URL |
7103 (ISS) |
|
