Mac OS X Find-By-Content .FBCIndex Web File Content Disclosure

2001-09-10T00:00:00
ID OSVDB:644
Type osvdb
Reporter Eric Bennett(emb22@cornell.edu)
Modified 2001-09-10T00:00:00

Description

Vulnerability Description

Mac OS X contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a .FBCIndex file is created by the Finder in the root of a web-accessible directory, which will disclose file content information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

Use a <FilesMatch> directive in httpd.conf to restrict access to 'hidden' files: <FilesMatch '^.'> Order allow, deny Deny from all </FilesMatch>

Restart Apache after the changes to the configuration file.

Short Description

Mac OS X contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a .FBCIndex file is created by the Finder in the root of a web-accessible directory, which will disclose file content information resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/target_directory/.FBCIndex

References:

Related OSVDB ID: 6694 Nessus Plugin ID:10773 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-09/0085.html ISS X-Force ID: 7103 CVE-2001-1446 CERT VU: 177243 Bugtraq ID: 3325