VCLD-67-000018 - VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on 'Content-Type' - Content-Type.

Information

Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.

A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually and automatic mapping must be disabled.

Solution

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf.

Add or reconfigure the following value:

mimetype.use-xattr = 'disable'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000381, Rule-ID|SV-239726r679288_rule, STIG-ID|VCLD-67-000018, Vuln-ID|V-239726

Plugin: Unix

Control ID: 6e884542785cae74a17414757840ce0f592940e8d923956ce1e96f1cdb76a6fa