VCLD-67-000018 - VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mappings based on 'Content-Type' - Content-Type.

Information

Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.

A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually and automatic mapping must be disabled.

Solution

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf.

Add or reconfigure the following value:

mimetype.use-xattr = 'disable'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y22M10_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000381, Rule-ID|SV-239726r816801_rule, STIG-ID|VCLD-67-000018, Vuln-ID|V-239726

Plugin: Unix

Control ID: b9ee78ac571e0cefc0fb7700747b1d69aec5424c664c3c19524b0bdbb9577ec2