vulnerability report

[dviface]

Our instance of maddash got security tested for vulnerabilities. Security team have sent us the report with three minor issues and recommendations:

• Directory listing - restrict directory listings from the web server configuration
• Clickjacking - Configure your web server to include an X-Frame-Options header
• OPTIONS method is enabled - disable OPTIONS Method on the web server

Could you please change the apache-maddash.conf to include those recommendations..

Thank you

[arlake228]

We provide the perfsonar-toolkit-security package to serve this purpose. You can run yum install perfsonar-toolkit-security. It installs a global apache configuration that amongst other things tightens the directory listing and OPTIONS method policies you mention. The X-Frame-Option can't be set for MaDDash since it uses an iframe to display the graph and that functionality would be broken.

In general we don't make global changes to the web server in individual packages such as MaDDash and require people to more or less "opt-in"with "perfsonar-toolkit-security" . We do this to avoid conflicts with other packages or any policies local administrators make through configuration management software or similar. Just as MaDDash won't touch your firewall, ssh settings, etc, we don't change web server setting outside of the directories specifically used by MaDDash.

[dviface]

Thank you for your answer. Actually we had perfsonar-toolkit-security installed. From what I can see it brings apache-perfsonar-security.conf which has -Indexes in it, but in apache-maddash.conf +Indexes is specified. As a result you can browse directories like example.com/maddash-webui/etc/ or /lib. Maybe there are no important files there, but IMHO, if they do not need to be browsable, listings should be forbidden.

Regarding X-Frame-Options I have observed that some other perfsonar packages implemented Content-Security-Policy header instead. And i could not find any configuration directives in perfsonar httpd conf files that disable HTTP OPTIONS method. I know these are really minor issues but since we have got them reported I was somehow obliged to raise them here.

[vvidic]

Maybe X-Frame-Options: sameorigin would work if the graphs is always on the same host as maddash-web?

Otherwise we would need to pass graphUrl to the cgi script somehow so it can generate this header dynamically.

[arlake228]

We have definitely run into cases where the graphs are not on the same host. People do this because the maddash host can get loaded and it makes the graphs load faster. I am not sure how widespread this is, so I guess we could have discussion about whether we want to do this in order to appease the scanners.