CVE-2019-7305: 
Linux Ubuntu vulnerability analysis and mitigation

CVE-2019-7305 is an Information Exposure vulnerability discovered in eXtplorer that makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. The vulnerability was introduced in the initial Debian extplorer package version 2.1.0b6+dfsg-1 from 2010 and affects all Ubuntu versions with eXtplorer installed, including Ubuntu 16.04 LTS, 14.04 LTS, and 12.04 ESM (Launchpad Bug).

The vulnerability exists in a Makefile patch file (debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch) that creates symbolic links within the eXtplorer application directory. The problematic symbolic link points to the system's /usr/ directory, inadvertently making it world-accessible over HTTP via /extplorer/usr/. Additionally, the package fails to create a .htaccess file in /etc/extplorer/, potentially exposing configuration files. Authentication to the eXtplorer application is not required to exploit these vulnerabilities (Launchpad Bug).

The vulnerability allows unauthorized access to files and directories under /usr/ and /etc/extplorer/ over HTTP without requiring authentication. This can lead to data leakage, information disclosure, and potentially remote code execution on the web server. Attackers can perform system reconnaissance to gain information about OS type, version, installed packages, and patch status. Sensitive information in directories like /usr/src/ and /usr/local/ may also be exposed (Launchpad Bug).

Several mitigation options are available: 1) Remove the Makefile patch lines that create the extplorer/usr symbolic link, 2) Replace the high-level /usr/ symbolic link with multiple narrowed-down links to specific required directories, 3) Edit web server configuration to deny access to /usr/share/extplorer/usr/, 4) Disable following of symbolic links within the application directory, or 5) Update to a more recent upstream source version without the vulnerable symbolic link (Launchpad Bug).