Lighttpd must disable directory browsing.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-89291 | VRAU-LI-000345 | SV-99941r1_rule | Medium |
| Description |
|---|
| If not disabled, the directory listing feature can be used to facilitate a directory traversal exploit. Directory listing must be disabled. Lighttpd provides a configuration setting, dir-listing.activate, that must be set properly in order to globally disable directory listing. |
| STIG | Date |
|---|---|
| VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88983r1_chk ) |
|---|
| At the command prompt, execute the following command: grep '^dir-listing.activate' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "dir-listing.activate" is not set to "disable", this is a finding. |
| Fix Text (F-96033r1_fix) |
|---|
| Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: dir-listing.activate = "disable" |