Fix for Web Directories Listable Vulnerability

[ajayan508]

We found a vulnerability while deploying in rdkm server, the URL was listing all the files in the path - . Added a fix for this , Now the path won't list all the files in it , but the required files will be available through URL.

[vimalks22]

Thanks Abhija.
Need to disable folder Web Directories Listable folders as per the Compliance Security policy. Either you can restrict to authentication based or disable the folder. Can someone review ?

[akshay-p-infosys]

We found a vulnerability while deploying in rdkm server, the URL was listing all the files in the path - . Added a fix for this , Now the path won't list all the files in it , but the required files will be available through URL.

The directory listing was introduced so that when we click the "browse media assets" tab, it will list the media assets present in test-materials folder. Instead of removing the listing completely, is it fine to keep the listing only for test-materials by adding the below code ( modified the directory)

<Directory "/home/MVT/test-materials">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

[vimalks22]

@akshay-p-infosys I doubt whether they will allow for test asset only. let me check on it.

Anyway, I don't think the below requirement for listing test asset is not working currently in the publicly hosted MVT, can you please confirm ?

when we click the "browse media assets" tab, it will list the media assets present in test-materials folder.

[akshay-p-infosys]

@vimalks22 I tested it on chrome browser (version - 142.0.7444.162 ) on ubuntu OS ( version - 22.04.5 ).
It is working fine.

[ajayan508]

@akshay-p-infosys

When checked in the public server, the URL is listing the test assets - https://mvt.rdkcentral.com/test-materials/.

But the Browse Media Assets tab it is redirecting to this URL- https://mvt.onemw.net/test-materials/

Is this due to this change -

MVT/patches/0007_js_mse_eme_mvt_Add_Browse_Media_Assets.patch

Line 9 in b061f16

+ this.addLink('Browse Media Assets', 'https://mvt.onemw.net/test-materials/');

Meanwhile, We will check if the vulnerability can be fixed if it opens only this particular path

[akshay-p-infosys]

@ajayan508 yes its due to that change

[vimalks22]

@akshay-p-infosys we are trying to convey that clicking on the "browse media assets" tab is not working for long time in the mvt.rdkcentral.com instance. so, it seems it is not a major requirement.
Also got confirmation from security team that, In accordance with security guidelines, all directories must be restricted.
So please let us know, either you can support getting the PR merged or we will apply these changes directly to the MVT tool hosted in RDK.

[akshay-p-infosys]

@vimalks22 if this change is done due to security issue, then we are ok to get this PR merged

[vimalks22]

@akshay-p-infosys Thanks for the confirmation. If you need this feature in the other instances of MVT you can keep this feature ( No need to merge the PR) . But we will ensure whenever MVT is deployed in RDK/Comcast VM's the directory listing will be disabled.

[akshay-p-infosys]

@vimalks22 Based on the above comment, I can understand that you will be making this code changes locally on your server before deploying the code. I also understand that you are not keen in getting this PR merged in the main branch. Please confirm if our understanding is correct.

[vimalks22]

@akshay-p-infosys Your understanding is right. Is that ok ?
Also letting you know that we had applied the changes in RDK hosted MVT tool, mvt.rdkcentral.com. Please let us know if there are any issues in the tool because of these changes.

[akshay-p-infosys]

@vimalks22 yes we are OK with PR not getting merged. Also we are not seeing any issues with MVT tool after your deployment.

[vimalks22]

Thank you for the confirmation @akshay-p-infosys