Dialogic Support Helpweb
Dialogic® IP Media Server
How to disable directory traversal on the Dialogic® IP Media Server Web interface
Symptom:
In the default configuration of the Dialogic® IP Media Server it is possible to see a few of its directories and view the files available through the web user interface.
This can be a security concern because certain scripts and files are viewable by external non-authenticated users.
Reason for the Issue:
This can be a security concern because certain scripts and files are viewable by external non-authenticated users.
Reason for the Issue:
The issue is due to the default settings in the Apache server (httpd) configuration file.
For the Dialogic® IP Media Server, the default means of accessing the Web User Interface is via the following address:
https://IPMS_IP_ADDRESS/
For the Dialogic® IP Media Server, the default means of accessing the Web User Interface is via the following address:
https://IPMS_IP_ADDRESS/
After getting past the security certificate, the user is able to type in the username and password and access the Web features built in to view settings and make changes as needed.
However, the default Apache configuration also allows access to the following directories and its files:
http://IPMS_IP_ADDRESS/scripts/
http://IPMS_IP_ADDRESS/images/
Once in these directories, the user is able to click on any of the scripts and images to view content.
This technote describes how to block access to these directories and display a "403 Forbidden message" in the browser.
Fix / Solution:
In order to disable the ability to traverse the directories the Apache configuration file needs to be edited.
This security issue is not due to any intrinsic Dialogic® IP Media Server functionality but rather to the default httpd.conf script that the Apache server uses. The Apache server is the web server running on the Dialogic® IP Media Server. The relevant Apache server settings are stored within the /etc/httpd/conf/httpd.conf file. This file is read on bootup or whenever the Apache server is restarted.
To correct this property, the following has to be done:
1. Use SSH to access the IP Media Server using the maint login and change to super user ("sudo su" and provide password).
2. Go into the /etc/httpd/conf/ directory and open the httpd.conf file in an editor.
3. Search for the following segment:
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
4. Add a minus sign in front of ‘Indexes’.
Options -Indexes FollowSymLinks
5. Save the httpd.conf file.
6. Restart httpd service via the following commands:
snow-sip > service httpd restart
After going through these steps, attempting to access the following links should result in a 403 Forbidden error returned within your browser:
http://IPMS_IP_ADDRESS/scripts/
http://IPMS_IP_ADDRESS/images/
Note: Apache server settings may also be stored within the .htaccess file within each web directory. However, for this method to be used, one has to make special changes within the httpd.conf file in order for this file to be read.
Product List
Dialogic® IP Media Server
Glossary of Acronyms / Terms
IPMS - IP Media Server
IP - Internet Protocol
IP - Internet Protocol
Related Documentation
External Link (Dialogic is not responsible for the content of external links): http://www.techiecorner.com/106/how-to-disable-directory-browsing-using-htaccess-apache-web-server/
