Apple Mac OS X Find-By-Content .DS_Store Web Directory Listing

[tmburton]

Description
It is possible to read a '.DS_Store' file on the remote web server.

This file is created by MacOS X Finder; it is used to remember the icons position on the desktop, among other things, and contains the list of files and directories present in the remote directory.

Note that deleted files may still be present in this .DS_Store file.

Solution

• Configure your web server so as to prevent the download of .DS_Store files

Output
http://127.0.0.1/.DS_Store
reveals the following entries:
hosted.html
upload
assets
app-2.5.1.js
images
css
License.md
downloading
README.md
index.html

Risk Factor: Medium
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Temporal Score: 3.7
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS v2.0 Temporal Vector: CVSS2#E:U/RL:OF/RC:C
https://nvd.nist.gov/vuln/detail/CVE-2001-1446

[openspeedtest]

.DS_Store is already added to gitignore. How to reproduce this issue? Which web server you used?

[tmburton]

Ubuntu 22.04 with Docker version 20.10.17
nginx/1.22.0 via: docker run --restart=unless-stopped --name openspeedtest -d -p 80:3000 -p 443:3001 openspeedtest/latest

[tmburton]

[openspeedtest]

Updated docker image, can you please check it?

Docker images run better on Linux Platforms, including your NAS. But if you install docker on macOS or Windows, you may see poor performance. I asked this on Docker forums, and they told me macOS and Windows support is for Development purposes only. For Production, you need to use any Linux Platform.

The same Story goes for Windows NGINX. Nginx uses only one worker even if you specify n number of worker processes. They will show in Task Manager, but the system will only use one. I got this information directly from the Nginx website.

[tmburton]

I'm using Docker on Linux. The .DS_Store file appears to have been removed now. Thank you.