The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".
An XCCDF Rule
Description
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually, and automatic mapping must be disabled.
- ID
- SV-259143r935333_rule
- Version
- VCLD-80-000031
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Navigate to and open:
/opt/vmware/etc/lighttpd/lighttpd.conf
Add or reconfigure the following value: