.FBCIndex File Contents Disclosure Vulnerability

By: Richard Glaser, University of Utah - Revised: 2010-02-06 richard

What is the threat?

A remote attacker can read the indexed contents of files by submitting a URL to the vulnerable host's Web service in the following format:

    http://www.example.com/target_directory/.FBCIndex

This information could provide an attacker with sensitive information, including potential passwords useful in dictionary attacks, system configuration settings, installed applications, etc. If this vulnerability is properly exploited, the information gathered by the attacker could be used to further compromise the security of the host.

What is the .FBCIndex file?

In Mac OS X, there’s no longer a central, massive, invisible index file on the hard drive. Now every folder has its own invisible index file called .FBCIndex, this File is generated by Mac OS X is roughly equivalent to Mac OS 9's "TheFindByContentFolder". Gets generated only if a search with activated indexing was performed.

How to fix this Vulnerability?

To fix this vulnerability you have multiple options like removing these files on your Mac OS X web server volumes, and modifying the Mac OS X web server software (Apache) configuration from displaying these files.

Remove .FBCIndex Files
Use the following find command and options to remove all .FBCIndex files from volumes:

find / -type f -name ".FBCIndex" -delete

Or use the following command to remove all .FBCIndex files from just web sharepoint:

find /path/to/sharepoint -type f -name ".FBCIndex" -delete

The find command recursively descends the directory for each path listed. The option "-type f" is a regular file, "-name" is name of the file, and "-delete" obviosly deletes files that match the options.

Note - Run the above command with administrative privileges.

Prevent Apache from serving .FBCIndex Files
Mac OS X client & server uses Apache for web serving. The default Apache httpd.conf allows these files to be served. Using a text editing open the http.conf and make the following modifications.

# Prevents viewing of files begining with a dot.
# These files are specific to Mac OS X and web access can be a potential security risk
# Notable files include .DS_Store, .FBCIndex, etc.

<FilesMatch "^.">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

After making this modification, restart Apache, either using Mac OS X's GUI tools or just by typing  "apachectl graceful"command with administrative privileges in the Terminal.

FileMatch - Configuration Parameter Controls for Apache

<FilesMatch>
Syntax: <FilesMatch regex> ... </FilesMatch>
Context: server config, virtual host, .htaccess
Status: core
Compatibility: only available in Apache 1.3 and above.

The <FilesMatch> directive provides for access control by filename, just as the <Files> directive does. However, it accepts a regular expression.

Mac OS X Installation Location for Apache

Mac OS X 10.5/10.6 (Leopard/Snow Leopard, Apache 2.2):

ServerRoot              ::      /usr
Primary Config Fle      ::      /etc/apache2/httpd.conf
DocumentRoot            ::      /Library/WebServer/Documents
ErrorLog                ::      /var/log/apache2/error_log
AccessLog               ::      /var/log/apache2/access_log
cgi-bin                 ::      /Library/WebServer/CGI-Executables (empty by default)
binary                  ::      /usr/sbin/httpd
start/stop              ::      /usr/sbin/apachectl (start|stop|restart|fullstatus|status|graceful|graceful-stop|configtest|help)

Note - apachectl graceful is equivalent to apachectl restart and doesn't keep running connections alive. Similarly, graceful-stop is not graceful.

The /usr/sbin/envvars script is ineffective for setting environment variables.

See http://lists.apple.com/archives/web-dev/2008/Apr/msg00059.html

Mac OS X 10.4 (Tiger and earlier, Apache 1.3):

ServerRoot              ::      /usr
Primary Config Fle      ::      /etc/httpd/httpd.conf
DocumentRoot            ::      /Library/WebServer/Documents
ErrorLog                ::      /var/log/httpd/error_log
AccessLog               ::      /var/log/httpd/access_log
cgi-bin                 ::      /Library/WebServer/CGI-Executables (empty by default)
binary                  ::      /usr/sbin/httpd
start/stop              ::      apachectl (start|stop|restart|fullstatus|status|graceful|configtest|help)