[Archivesspace_Users_Group] Security question - Better description

Chris Fitzpatrick Chris.Fitzpatrick at lyrasis.org
Wed Jun 3 10:39:37 EDT 2015


Hey Rick,


Sure, I understand. But if the app is firewalled, this would probably not much of a threat, since only the ASpace webapps would be accessing Solr.


But, if you want to change this, you'll have to set the parameter in Jetty, if you're using the default jetty deployment ( and not something like Tomcat ).To do this, add this line to your launcher/launcher.rb file at line 44:


context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed","false") if webapp[:war].include?("solr.war")



( That should all be one line, just in case it's getting wacked by the email formatting ).

Then restart ASpace. This should cause a directory listing to respond with a 403.


b,chris.


BTW, Solr doesn't really come with an security protection built-in, which they do by design since it's assumed you'll have an application in front of the index. So, if it's not firewalled, anyone can do stuff like delete your whole index...



Chris Fitzpatrick | Developer, ArchivesSpace
Skype: chrisfitzpat  | Phone: 918.236.6048
http://archivesspace.org/
________________________________
From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> on behalf of Neal, Rick <rneal at richmond.edu>
Sent: Wednesday, June 3, 2015 3:21 PM
To: Archivesspace Users Group
Subject: [Archivesspace_Users_Group] Security question - Better description


Chris,



I’m sorry, I really didn’t explain the problem well enough.



It is true that if I go to:  http://servername:8090 I see the Solr dashboard with no problem.



However, if I add a subdirectory name at the end ( http://servername:8090/css/ ) or any of the other subdirectory names in the list below (except for WEB-INF or META-INF) I see the directory listing in the browser.  If I try to list the WEB-INF or META-INF subdirectories to the end of the url I get an:  HTTP ERROR 404, Problem accessing /WEB-INF/. Reason:  Not Found



[root at servername webapp]# pwd

/usr/local/as/data/tmp/jetty-0.0.0.0-8090-solr.war-_-any-/webapp



[root at servername webapp]# ls -altr

total 44

-rw-r--r-- 1 root root 1146 Sep 22  2012 favicon.ico

-rw-r--r-- 1 root root 4930 Sep 22  2012 admin.html

drwxr-xr-x 4 root root 4096 Jun  1 04:05 WEB-INF

drwxr-xr-x 3 root root 4096 Jun  1 04:05 css

drwxr-xr-x 8 root root 4096 Jun  1 04:05 .

drwxr-xr-x 4 root root 4096 Jun  1 04:05 img

drwxr-xr-x 4 root root 4096 Jun  1 04:05 js

drwxr-xr-x 2 root root 4096 Jun  1 04:05 tpl

drwxr-xr-x 2 root root 4096 Jun  1 04:05 META-INF

drwxr-xr-x 3 root root 4096 Jun  1 04:05 ..





My goal is to get the browser to stop listing the directory(s).



Thanks again for your help with this.



Rick







Directory: /img/

Parent Directory<http://metcalf.richmond.edu:8090/>


ZeroClipboard.swf <http://metcalf.richmond.edu:8090/img/ZeroClipboard.swf>


1071 bytes


Sep 22, 2012 8:36:50 AM


chosen-sprite.png <http://metcalf.richmond.edu:8090/img/chosen-sprite.png>


559 bytes


Sep 22, 2012 8:36:50 AM


div.gif <http://metcalf.richmond.edu:8090/img/div.gif>


1093 bytes


Sep 22, 2012 8:36:50 AM


favicon.ico <http://metcalf.richmond.edu:8090/img/favicon.ico>


1146 bytes


Sep 22, 2012 8:36:50 AM


filetypes/ <http://metcalf.richmond.edu:8090/img/filetypes/>


4096 bytes


Jun 1, 2015 3:05:15 AM


ico/ <http://metcalf.richmond.edu:8090/img/ico/>


4096 bytes


Jun 1, 2015 3:05:15 AM


loader-light.gif <http://metcalf.richmond.edu:8090/img/loader-light.gif>


1849 bytes


Sep 22, 2012 8:36:50 AM


loader.gif <http://metcalf.richmond.edu:8090/img/loader.gif>


1553 bytes


Sep 22, 2012 8:36:50 AM


lucene-ico.png <http://metcalf.richmond.edu:8090/img/lucene-ico.png>


1508 bytes


Sep 22, 2012 8:36:50 AM


solr-ico.png <http://metcalf.richmond.edu:8090/img/solr-ico.png>


1146 bytes


Sep 22, 2012 8:36:50 AM


solr.png <http://metcalf.richmond.edu:8090/img/solr.png>


7926 bytes


Sep 22, 2012 8:36:50 AM


tree.png <http://metcalf.richmond.edu:8090/img/tree.png>


1112 bytes


Sep 22, 2012 8:36:50 AM








~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rick Neal

Library Applications and Systems Administrator

Boatwright Memorial Library

University of Richmond, VA 23173



rneal at richmond.edu



From: archivesspace_users_group-bounces at lyralists.lyrasis.org [mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org] On Behalf Of Chris Fitzpatrick
Sent: Wednesday, June 03, 2015 6:41 AM
To: Archivesspace Users Group
Subject: Re: [Archivesspace_Users_Group] Security question



Hi Rick,



I think this would be a false positive, since it's the Solr index that runs on port 8090.



However, its strongly recommend that Solr be firewalled off so that the only clients accessing it are your own. That means only allowing access from whatever host your backend, frontend, public, and indexer are running on.



b,chris.



Chris Fitzpatrick | Developer, ArchivesSpace
Skype: chrisfitzpat  | Phone: 918.236.6048
http://archivesspace.org/

________________________________

From: archivesspace_users_group-bounces at lyralists.lyrasis.org<mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org> <archivesspace_users_group-bounces at lyralists.lyrasis.org<mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org>> on behalf of Neal, Rick <rneal at richmond.edu<mailto:rneal at richmond.edu>>
Sent: Tuesday, June 2, 2015 9:49 PM
To: Archivesspace Users Group
Subject: [Archivesspace_Users_Group] Security question



Hello All,



I am running a security scan on our Archivesspace test server and received a notice that I have a ‘Browsable web directory’.



I have removed ‘Indexes’ from the httpd.conf file but the directory is still browsable on http://servername:8090.



Any thoughts on how to stop this from occurring would be appreciated.



Thanks,



Rick



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rick Neal

Library Applications and Systems Administrator

Boatwright Memorial Library

University of Richmond, VA 23173



rneal at richmond.edu<mailto:rneal at richmond.edu>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20150603/f188417e/attachment.html>


More information about the Archivesspace_Users_Group mailing list