← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:10756 · Disclosed 2001-09-11

Apple Mac OS X Find-By-Content

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

Like leaving a building directory in the lobby after locking the office doors

This plugin fires when a web server will hand out a /.DS_Store file, a macOS Finder metadata artifact that can reveal file and directory names in that folder and sometimes stale names for deleted items. In practice the affected population is not all Macs but web content copied from Mac workstations onto any HTTP server without filtering dotfiles; Tenable maps it to the old Find-By-Content era (Mac OS X 10.0 through 10.0.4) and scores it as generic information disclosure.

Tenable's MEDIUM label is too generous for enterprise patch prioritization. The real-world chain requires the file to be present, exposed over HTTP, and valuable enough that the leaked filenames lead to something else; that's a lot of friction for a bug that by itself gives no code execution, no auth bypass, and no write path.

"This is a noisy web-hardening issue, not a Monday-morning emergency"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Probe for /.DS_Store with curl or wget

The attacker requests https://target/path/.DS_Store directly. No exploit kit is needed; this is a plain HTTP GET against a guessed or enumerated directory. Nessus plugin 10756 and Juniper's HTTP:INFO-LEAK:DS-STORE signature both describe this exact access pattern.
Conditions required:
  • Unauthenticated remote access to the web server
  • The target path must actually contain a .DS_Store file
  • The web server must permit direct download of dotfiles
Where this breaks in practice:
  • Many modern web stacks already deny hidden files or dotfiles by default
  • If the site was deployed from CI/CD rather than drag-and-drop from Finder, the file often is not there
  • The attacker has to know or guess a relevant directory path first
Detection/coverage: Good scanner coverage for direct file fetches; easy to validate with DAST or simple curl. Web logs usually capture the request plainly.
STEP 02

Parse metadata with a .DS_Store reader or strings

After download, the attacker extracts filenames and subdirectory names from the binary metadata. Public parsers exist, but even crude parsing can leak enough names to identify backups, admin panels, exported archives, or unlinked assets.
Conditions required:
  • Downloaded file is non-empty and parseable
  • Metadata contains meaningful filenames rather than just view settings
Where this breaks in practice:
  • Not every .DS_Store yields rich filename data
  • The file may only describe one folder, limiting blast radius to a narrow path
  • Modern content layouts often expose the same filenames elsewhere anyway
Detection/coverage: Network detection stops here; post-download parsing happens off-host and is invisible unless you hunt on the attacker side.
STEP 03

Enumerate unlinked or sensitive files with curl, ffuf, or a custom script

The filenames become a wordlist for targeted follow-on requests. This is where the issue graduates from harmless clutter to actual exposure if the directory also contains backups, debug builds, exports, images, or forgotten admin artifacts that are reachable but unlinked.
Conditions required:
  • Leaked names must correspond to actually accessible files
  • The server must not require authentication for those files
Where this breaks in practice:
  • A leaked filename is not a compromise by itself
  • Many high-value files are blocked by auth, stored off-webroot, or denied by separate rules
  • CDN/WAF/routing layers may not expose the same path structure externally
Detection/coverage: Web logs and WAFs can catch the burst of follow-on GETs better than the initial .DS_Store fetch.
STEP 04

Exploit the *real* exposed asset, not the .DS_Store itself

If a truly sensitive file is reachable, the attacker abuses that separate exposure. The .DS_Store issue is usually just reconnaissance or path discovery, not the terminal impact.
Conditions required:
  • A second exploitable condition must exist
  • The discovered asset must materially expose data or credentials
Where this breaks in practice:
  • Most environments stop at information disclosure and go no further
  • Impact depends entirely on what else is mispublished in that directory
Detection/coverage: This becomes a different detection problem tied to the exposed asset, not to .DS_Store handling.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence in the reviewed sources of current active exploitation campaigns. This is best understood as a low-effort reconnaissance primitive rather than a weaponized intrusion vector.
PoC availabilityNo exploit needed. Any HTTP client (curl, wget) can fetch the file, and Intego noted in 2010 that the process can be automated to spider a site quickly.
EPSS1.08% probability, about 84th percentile, per CVEDetails' EPSS display for CVE-2001-1446; Feedly showed a similar current magnitude (1.21%).
KEV statusNot listed in CISA's KEV catalog mirror during source review; no CISA due date pressure applies.
CVSS / interpretationTenable shows CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N = 5.3 MEDIUM, which correctly models confidentiality-only impact but still overstates operational urgency for most estates.
Affected footprintAny web path serving a copied .DS_Store is exposed. The historical CVE record references Mac OS X 10.0 through 10.0.4, but the practical modern issue is mispublished Finder metadata on a web server, regardless of server OS.
Fixed versionThere is no meaningful estate-wide patch version for the plugin finding. The durable fix is to remove .DS_Store from published content and deny direct HTTP access to dotfiles; Intego notes Apple added Apache rules in a 2004 update on Mac OS X / Server.
Scanning / exposure dataNo authoritative current Shodan/Censys hit count was surfaced in source review. This is a content artifact, so exposure is usually found by web scanners, search indexing, or direct probing rather than banner-based Internet census.
Disclosure / reportingThe mapped CVE (CVE-2001-1446) was published on 2001-09-11. Intego later documented real-world web exposure and Google indexing of .DS_Store files on 2010-02-11.
Detection coverageNessus plugin 10756 covers it, and Juniper ships IPS signature HTTP:INFO-LEAK:DS-STORE, which labels it Minor severity.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.8/10)

The decisive factor is that this issue usually requires a second failure after the first one: not just a downloadable .DS_Store, but also something valuable hidden behind the leaked filenames. By itself it is a narrow confidentiality leak with no execution path, no privilege change, and a very limited blast radius per exposed directory.

HIGH Severity downgrade from Tenable `MEDIUM` to noisgate `LOW`
MEDIUM Historical CVE mapping quality for this plugin

Why this verdict

  • Starts as confidentiality-only: the vendor vector already says C:L/I:N/A:N; there is no direct code execution, tampering, or outage path.
  • Requires a very specific attacker position: unauthenticated remote is possible, but only if a guessed directory contains a .DS_Store and the server serves dotfiles. That sharply reduces the reachable population from 'all web servers' to a mispublished subset.
  • Implies no initial compromise, but usually yields only reconnaissance: the file leak mainly gives names and paths. Attack value depends on discovering a second exposed asset, so the chain compounds downward after the initial request.
  • Modern controls should stop or shrink it: standard web-server dotfile denies, CI/CD packaging, artifact hygiene, and WAF/log review all break the path early. In many enterprises those controls are already present even when scanners still catch isolated exceptions.
  • No active exploitation pressure: no KEV listing and no reviewed campaign reporting means there is no evidence this deserves emergency patch treatment.

Why not higher?

If this were routinely leading to credential theft or public admin takeover on its own, the score would move up. It does not: the attacker still needs the file to be exposed and then needs another reachable sensitive object behind the leaked names, which is a separate failure condition.

Why not lower?

It is still Internet-reachable if present, trivially testable, and sometimes leaks exactly the filenames defenders hoped obscurity would hide. In environments that publish ad hoc content from Macs, it can materially aid discovery of backups, exports, staging assets, or forgotten admin files.

05 · Compensating Control

What to do — in priority order.

  1. Block dotfiles at the web tier — Add explicit deny rules for /.DS_Store and preferably all hidden dotfiles at the reverse proxy and origin. For a LOW verdict there is no SLA; treat as backlog hygiene, but this is the cleanest control because it covers future developer mistakes too.
  2. Purge .DS_Store from publish paths — Scan web roots, static site artifacts, object-storage website buckets, and deployment bundles for .DS_Store, then remove them before release. For LOW, there is no SLA; treat as backlog hygiene and fold it into standard release hardening.
  3. Harden Mac publishing workflows — On Mac endpoints used for content staging, disable writing .DS_Store to network shares where practical and add artifact exclusions in build/deploy tooling. For LOW, there is no SLA; treat as backlog hygiene and land it in your developer platform baseline.
  4. Hunt for follow-on access — Search HTTP logs for requests to /.DS_Store and then inspect adjacent requests for leaked filenames, backup extensions, and admin paths. This helps distinguish harmless scanner noise from someone using the file as a recon seed.
What doesn't work
  • EDR on endpoints doesn't solve a web server handing out a public file; the access happens over normal HTTP.
  • Relying on 'security through obscurity' for unlinked files fails here because .DS_Store may leak the names directly.
  • Only deleting visible files from Finder is not enough if the deployment process still copies hidden files or syncs whole folders.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or CI runner that can reach the target URL. Invoke it as bash check-dsstore.sh https://www.example.com/suspect/path/; it needs no privileges and reports whether /.DS_Store is directly downloadable from that path.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-dsstore.sh
# Simple remote verifier for exposed .DS_Store files over HTTP(S)
# Usage: bash check-dsstore.sh https://www.example.com/path/
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage error

set -u

if [ "$#" -ne 1 ]; then
  echo "Usage: $0 <base-url>"
  exit 3
fi

BASE_URL="$1"
BASE_URL="${BASE_URL%/}"
TARGET_URL="${BASE_URL}/.DS_Store"
TMP_BODY="$(mktemp 2>/dev/null || echo /tmp/dsstore.$$)"
TMP_HDR="$(mktemp 2>/dev/null || echo /tmp/dsstore_hdr.$$)"
trap 'rm -f "$TMP_BODY" "$TMP_HDR"' EXIT

HTTP_CODE=$(curl -k -sS -L \
  -D "$TMP_HDR" \
  -o "$TMP_BODY" \
  -w "%{http_code}" \
  --connect-timeout 10 \
  --max-time 20 \
  "$TARGET_URL" 2>/dev/null)
CURL_RC=$?

if [ $CURL_RC -ne 0 ]; then
  echo "UNKNOWN - request failed for $TARGET_URL"
  exit 2
fi

BODY_SIZE=$(wc -c < "$TMP_BODY" 2>/dev/null || echo 0)
CONTENT_TYPE=$(awk 'BEGIN{IGNORECASE=1} /^Content-Type:/ {print $2; exit}' "$TMP_HDR" | tr -d '\r')

case "$HTTP_CODE" in
  200|206)
    if [ "$BODY_SIZE" -gt 32 ]; then
      # If the response looks like an HTML error page, keep it UNKNOWN.
      if grep -Eiq '<html|<!doctype html|access denied|not found|forbidden' "$TMP_BODY"; then
        echo "UNKNOWN - HTTP $HTTP_CODE but body looks like an error page at $TARGET_URL"
        exit 2
      fi
      echo "VULNERABLE - downloadable .DS_Store detected at $TARGET_URL (HTTP $HTTP_CODE, ${BODY_SIZE} bytes, content-type: ${CONTENT_TYPE:-unknown})"
      exit 1
    else
      echo "UNKNOWN - HTTP $HTTP_CODE but body too small to confirm .DS_Store at $TARGET_URL"
      exit 2
    fi
    ;;
  401|403|404)
    echo "PATCHED - .DS_Store not directly downloadable at $TARGET_URL (HTTP $HTTP_CODE)"
    exit 0
    ;;
  *)
    echo "UNKNOWN - unexpected HTTP $HTTP_CODE for $TARGET_URL"
    exit 2
    ;;
esac
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat plugin 10756 like a patch emergency. Validate which findings are on Internet-facing sites, add a standard dotfile deny if it's missing, and clean the artifacts out of your publish paths during your normal web-hardening cycle; for a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA — treat it as backlog hygiene, document exceptions, and reserve real urgency for findings that provide execution, auth bypass, or proven active exploitation.

Sources

  1. Tenable Nessus Plugin 10756
  2. Tenable Plugin 10756 changelog
  3. CVE Details - CVE-2001-1446
  4. Feedly CVE page - CVE-2001-1446
  5. CISA KEV catalog mirror
  6. FIRST EPSS documentation
  7. Intego on .DS_Store exposure
  8. Juniper IPS signature HTTP:INFO-LEAK:DS-STORE
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.