Hi
We installed Openfire at a customer which does vulnerability scanning. They came back with a.o. the following:
Some directories are listable, namely: /images/ /setup/ and /js/ (so http://openfire:9090/images/ etc.)
Can I apply a configuration on the openfire webserver so that this is solved?
Thanks
Mark
Hi Mark,
Thanks for reporting this. I’ve filed a new ticket in our issue tracker, to get this behavior changed: [OF-2880] - Ignite Realtime Jira
I’ve prepared a code change here: OF-2880: Admin console should not show directory listing by guusdk · Pull Request #2543 · igniterealtime/Openfire · GitHub
As a work-around, I think you can add the following snippets in all web.xml files of Openfire. You’ll likely need to restart afterwards:
<context-param>
<param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
<param-value>false</param-value>
</context-param>
Hi Guus
I have tried your workaround on Openfire 4.7.5 and added
<context-param>
<param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
<param-value>false</param-value>
</context-param>
to
/var/lib/openfire/plugins/plugin/web/WEB-INF/web.xml
/var/lib/openfire/plugins/restapi/web/WEB-INF/web.xml
/var/lib/openfire/plugins/search/web/WEB-INF/web.xml
/var/lib/openfire/plugins/admin/webapp/WEB-INF/web.xml
restarted the Openfire server and directory browsing is no longer allowed.
Thanks for your quick reply and solution