The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".

An XCCDF Rule

Description

<VulnDiscussion>Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually, and automatic mapping must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259143r935333_rule
Severity: Medium
References: CCI-000381
Updated: 8 months ago

Navigate to and open:

/opt/vmware/etc/lighttpd/lighttpd.conf

Add or reconfigure the following value:
mimetype.use-xattr        = "disable"

Restart the service with the following command:

# vmon-cli --restart applmgmt

The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".

Description

Remediation - Manual Procedure