Apple Mac OS X Find-By-Content .DS_Store Web Directory Listing

medium Nessus Plugin ID 10756

Synopsis

It is possible to get the list of files present in the remote directory.

Description

It is possible to read a '.DS_Store' file on the remote web server.

This file is created by MacOS X Finder; it is used to remember the icons position on the desktop, among other things, and contains the list of files and directories present in the remote directory.

Note that deleted files may still be present in this .DS_Store file.

Solution

- Configure your web server so as to prevent the download of .DS_Store files
- Mac OS X users should configure their workstation to disable the creation of .DS_Store files on network shares.

See Also

https://support.apple.com/en-us/HT1629

https://helpx.adobe.com/dreamweaver/kb/remove-ds-store-files-mac.html

http://www.greci.cc/?p=10

Plugin Details

Severity: Medium

ID: 10756

File Name: osX_apache_finder.nasl

Version: 1.33

Type: remote

Family: Web Servers

Published: 9/14/2001

Updated: 10/27/2023

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: The .fbcindex and the .ds_store files are disclosed. no write access or manipulation is possible, and there is no disruption of service. this is simply an information disclosure vulnerability.

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2001-1446

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: cpe:/o:apple:mac_os_x, cpe:/o:apple:macos

Exploit Ease: No exploit is required

Vulnerability Publication Date: 9/10/2001

Reference Information

CVE: CVE-2001-1446

BID: 3316, 3325

CERT: 177243