Sensitive Files Exposed via Directory Listing

RESOLVED WORKSFORME

Status

Socorro
General
RESOLVED WORKSFORME
3 years ago
3 years ago

People

(Reporter: Shubham mittal, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
Created attachment 8538587 [details]
dr1.PNG

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Steps to reproduce:

Browse to https://crash-stats-prod.zlb.phx.mozilla.net/.


Actual results:

This shows a complete directory listing of crash reports, .sh files, internal test files, etc. 




Expected results:

I am not sure if this is intentionally made public or not. In case this was intentionaly public, obviously not a bug. Otherwise should be patched on immediate basis, as information being disclosed sounds a bit critical. 

Thank you.
(Reporter)

Comment 1

3 years ago
Created attachment 8538589 [details]
dr2.PNG
(Reporter)

Comment 2

3 years ago
Created attachment 8538590 [details]
dr3.PNG
Crash stats are publicly available here; I guess nothing is sensitive.
https://crash-stats.mozilla.com/home/products/Firefox
Component: Other → General
Product: Websites → Socorro
Version: Production → unspecified

Comment 4

3 years ago
This is exposing only public data (and some scripts to run reports on that public data as well as the resulting reports), and its normal URL is actually https://crash-analysis.mozilla.com/
(Reporter)

Comment 5

3 years ago
Okay. Great then.:)

Comment 6

3 years ago
So can this be closed as INVALID? Or what needs to be done here?

Comment 7

3 years ago
Closing as WFM as I don't see anything sensitive.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.