KB Article #176808

Directory Listing Vulnerability in Certain Configurations of API Gateway

Problem

* Certain non-default configurations of API Gateway, as well as the 7.2.0 GA release of API Manager (which was called "API Portal" when it was released) may be found vulnerable to a directory listing vulnerability.

Resolution


-- When certain malicious paths are fed to a static content provider, it may be tricked into accessing files outside of its directory, leading to a directory traversal vulnerability.  This is not an issue for most configurations, because malicious paths will be absorbed by the default policy bound to the root path, which is not vulnerable.  However, if this default policy is removed, the underlying vulnerability can be exposed.  This is fixed in 7.2.1 and following releases and anyone on 7.2.0 should apply the latest service pack.

 

Older versions of the API Gateway should simply retain the default policy bound to '/' which returns 403 access denied, as this will prevent any malicious paths from getting to your static content providers in the first place.  If the default '/' policy must be removed, also remove the default 'favicon.ico' static content provider as well as any others you have configured.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.