Fix for Directory Listing Vulnerability on IDP Webpages (SSP/MyVIP and VIPMGR)
search cancel

Fix for Directory Listing Vulnerability on IDP Webpages (SSP/MyVIP and VIPMGR)

book

Article ID: 388724

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

A directory listing vulnerability was identified on the IDP webpages (SSP/MyVIP and VIPMGR) in VIP Enterprise Gateway. This vulnerability occurs when directories are exposed on the web application, allowing unauthorized access to sensitive files or directory structures before user authentication.

However, after successful authentication, users are redirected to manager.vip.symantec.com, where directory listing is disabled, meaning no sensitive information is exposed.

Environment

VIP Enterprise Gateway 9.11 and below

Cause

The vulnerability was caused by directory listing being enabled on the Jetty web server used in VIP Enterprise Gateway. This allows directories to be listed on specific URLs before the user has authenticated.

URLs Affected

  • /vipmgr/
  • /vipmgr/com/verisign/
  • /vipmgr/com/verisign/mauth/
  • /vipmgr/com/verisign/mauth/conf/
  • /vipmgr/com/verisign/mauth/conf/enterprise/vipmgrwebapp/
  • /vipmgr/UI/css/
  • /vipssp/UI/css/
  • /vipegconsole/UI/js/
  • /vipssp/UI/images/

Resolution

Fix and Mitigation

This issue has been identified and will be addressed in the VIP Enterprise Gateway 9.11.1 release. The fix will involve disabling directory listing on these specific directories to prevent unauthorized access and ensure the security of all files and directories.

Steps to Apply the Fix (via EG-9.11.1 Update)

  1. Update to EG-9.11.1:
    Download and install VIP Enterprise Gateway 9.11.1 once it is released. The fix will be included in this version.

  2. Verify Configuration:
    After applying the update, verify that directory listing has been successfully disabled on the affected IDP webpages by testing the following URLs:

    • https://<VIP_EG_URL>/vipmgr/
    • https://<VIP_EG_URL>/vipmgr/com/verisign/
    • https://<VIP_EG_URL>/vipmgr/UI/css/

    You should no longer be able to see any directory listings for these URLs, confirming that the fix has been applied.

Recommendation

We recommend applying the VIP Enterprise Gateway 9.11.1 update as soon as it becomes available to eliminate this vulnerability and avoid false security alerts.

Additional Information

While this vulnerability was flagged in vulnerability scans, it does not expose any sensitive information because the directories are not accessible after authentication. However, it still creates potential false positives and security alerts, which can cause concern.

Powered by Wolken Software