UCF STIG Viewer Logo

VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mappings based on "Content-Type".


Overview

Finding ID Version Rule ID IA Controls Severity
V-239726 VCLD-67-000018 SV-239726r816801_rule Medium
Description
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually and automatic mapping must be disabled.
STIG Date
VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide 2022-01-03

Details

Check Text ( C-42959r816800_chk )
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash".

At the command prompt, execute the following command:

# /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "mimetype.use-xattr"

Expected result:

mimetype.use-xattr = "disable"

If the output does not match the expected result, this is a finding.
Fix Text (F-42918r679287_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf.

Add or reconfigure the following value:

mimetype.use-xattr = "disable"