V-241673

Discussion

A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. As a Tomcat derivative, tc Server stores the web applications in a special “webapps” folder. The Java engine, however, is stored in a separate are of the OS directory structure. For greatest security it is important to verify that the “webapps” and the Java directories remain separated.

Check Content

At the command prompt, execute the following commands:

df -k /usr/java/default/bin/java
df -k /usr/lib/vmware-vcops/tomcat-web-app/webapps

If the two directories above are on the same partition, this is a finding.