[Archivesspace_Users_Group] Security question - Better description

Neal, Rick rneal at richmond.edu
Wed Jun 3 09:21:49 EDT 2015 

Chris,

I'm sorry, I really didn't explain the problem well enough.

It is true that if I go to:  http://servername:8090 I see the Solr dashboard with no problem.

However, if I add a subdirectory name at the end ( http://servername:8090/css/ ) or any of the other subdirectory names in the list below (except for WEB-INF or META-INF) I see the directory listing in the browser.  If I try to list the WEB-INF or META-INF subdirectories to the end of the url I get an:  HTTP ERROR 404, Problem accessing /WEB-INF/. Reason:  Not Found

[root at servername webapp]# pwd
/usr/local/as/data/tmp/jetty-0.0.0.0-8090-solr.war-_-any-/webapp

[root at servername webapp]# ls -altr
total 44
-rw-r--r-- 1 root root 1146 Sep 22  2012 favicon.ico
-rw-r--r-- 1 root root 4930 Sep 22  2012 admin.html
drwxr-xr-x 4 root root 4096 Jun  1 04:05 WEB-INF
drwxr-xr-x 3 root root 4096 Jun  1 04:05 css
drwxr-xr-x 8 root root 4096 Jun  1 04:05 .
drwxr-xr-x 4 root root 4096 Jun  1 04:05 img
drwxr-xr-x 4 root root 4096 Jun  1 04:05 js
drwxr-xr-x 2 root root 4096 Jun  1 04:05 tpl
drwxr-xr-x 2 root root 4096 Jun  1 04:05 META-INF
drwxr-xr-x 3 root root 4096 Jun  1 04:05 ..


My goal is to get the browser to stop listing the directory(s).

Thanks again for your help with this.

Rick



Directory: /img/
Parent Directory<http://metcalf.richmond.edu:8090/>

ZeroClipboard.swf <http://metcalf.richmond.edu:8090/img/ZeroClipboard.swf>

1071 bytes

Sep 22, 2012 8:36:50 AM

chosen-sprite.png <http://metcalf.richmond.edu:8090/img/chosen-sprite.png>

559 bytes

Sep 22, 2012 8:36:50 AM

div.gif <http://metcalf.richmond.edu:8090/img/div.gif>

1093 bytes

Sep 22, 2012 8:36:50 AM

favicon.ico <http://metcalf.richmond.edu:8090/img/favicon.ico>

1146 bytes

Sep 22, 2012 8:36:50 AM

filetypes/ <http://metcalf.richmond.edu:8090/img/filetypes/>

4096 bytes

Jun 1, 2015 3:05:15 AM

ico/ <http://metcalf.richmond.edu:8090/img/ico/>

4096 bytes

Jun 1, 2015 3:05:15 AM

loader-light.gif <http://metcalf.richmond.edu:8090/img/loader-light.gif>

1849 bytes

Sep 22, 2012 8:36:50 AM

loader.gif <http://metcalf.richmond.edu:8090/img/loader.gif>

1553 bytes

Sep 22, 2012 8:36:50 AM

lucene-ico.png <http://metcalf.richmond.edu:8090/img/lucene-ico.png>

1508 bytes

Sep 22, 2012 8:36:50 AM

solr-ico.png <http://metcalf.richmond.edu:8090/img/solr-ico.png>

1146 bytes

Sep 22, 2012 8:36:50 AM

solr.png <http://metcalf.richmond.edu:8090/img/solr.png>

7926 bytes

Sep 22, 2012 8:36:50 AM

tree.png <http://metcalf.richmond.edu:8090/img/tree.png>

1112 bytes

Sep 22, 2012 8:36:50 AM




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rick Neal
Library Applications and Systems Administrator
Boatwright Memorial Library
University of Richmond, VA 23173

rneal at richmond.edu

From: archivesspace_users_group-bounces at lyralists.lyrasis.org [mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org] On Behalf Of Chris Fitzpatrick
Sent: Wednesday, June 03, 2015 6:41 AM
To: Archivesspace Users Group
Subject: Re: [Archivesspace_Users_Group] Security question


Hi Rick,



I think this would be a false positive, since it's the Solr index that runs on port 8090.



However, its strongly recommend that Solr be firewalled off so that the only clients accessing it are your own. That means only allowing access from whatever host your backend, frontend, public, and indexer are running on.



b,chris.


Chris Fitzpatrick | Developer, ArchivesSpace
Skype: chrisfitzpat  | Phone: 918.236.6048
http://archivesspace.org/
________________________________
From: archivesspace_users_group-bounces at lyralists.lyrasis.org<mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org> <archivesspace_users_group-bounces at lyralists.lyrasis.org<mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org>> on behalf of Neal, Rick <rneal at richmond.edu<mailto:rneal at richmond.edu>>
Sent: Tuesday, June 2, 2015 9:49 PM
To: Archivesspace Users Group
Subject: [Archivesspace_Users_Group] Security question


Hello All,



I am running a security scan on our Archivesspace test server and received a notice that I have a 'Browsable web directory'.



I have removed 'Indexes' from the httpd.conf file but the directory is still browsable on http://servername:8090.



Any thoughts on how to stop this from occurring would be appreciated.



Thanks,



Rick



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rick Neal

Library Applications and Systems Administrator

Boatwright Memorial Library

University of Richmond, VA 23173



rneal at richmond.edu<mailto:rneal at richmond.edu>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20150603/872eb6d6/attachment.html>

More information about the Archivesspace_Users_Group mailing list