Anybody can access http://Host:Port/WmRoot/images/ without user/pwd requesting

Hi everyone,

Our security administrator indicated a security vulnerability on IS web admin.
If anybody connects to http://Host:Port/WmRoot/images/, it shows directory list in the %IS_HOME%\packages\WmRoot\pub\images without requesting User/Password.
I tried a couple of things to sort it out.
1. Modified .access file in WmRoot\pub, WmRoot\pub\images to only allow Administrator to access this resources and restarted IS.
: It requested User/Password, but still shows the list when I click “Cancel” twice.
2. %IS_HOME%\web\conf\web.xml: it seems to be like httpd.conf of apache tomcat. I modified “listings” parameter to “false” and restarted IS. but it also doesn’t work.

default

org.apache.catalina.servlets.DefaultServlet


debug
0


listings
false

1

Anybody has an idea on this?
Please advise.

Thanks in advance. :slight_smile:

I’m answering by myself. :slight_smile:
The Administering_Integration_Server guideline 8.2 tells the way in the Appendix B as follows.
watt.server.displayDirectories
Specifies whether a browser user can view directories that reside on Integration Server without using Integration Server Administrator. When this parameter is set to true (the default), users can view Integration Server directories. When this parameter is set to false, no directories are displayed.

It’s also working in ver. 7.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.