Our security administrator indicated a security vulnerability on IS web admin.
If anybody connects to http://Host:Port/WmRoot/images/, it shows directory list in the %IS_HOME%\packages\WmRoot\pub\images without requesting User/Password.
I tried a couple of things to sort it out.
1. Modified .access file in WmRoot\pub, WmRoot\pub\images to only allow Administrator to access this resources and restarted IS.
: It requested User/Password, but still shows the list when I click “Cancel” twice.
2. %IS_HOME%\web\conf\web.xml: it seems to be like httpd.conf of apache tomcat. I modified “listings” parameter to “false” and restarted IS. but it also doesn’t work.
Anybody has an idea on this?
Thanks in advance.