Created attachment 8869685 [details] as you see, this discloser a full path to a resource. this information could be used in further attack scenarios like LFI or RCE and i allso test this site is also vulnerable to clickjacking for poc i send you screenshoot have a good day i found subdomain of mozilla.org using online subdomain finder and i found vulnerability . for full path disclosure step - open url and you see the dir list and you trevel dir for clickjacking The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. Impact: An attacker can host this domain in other evil site by using iframe and if a user fill the given filed it can directly redirect as logs to attacker and after its redirect to your web server.. its lead to steal user information too and use that host site as phishing of your site its CSRF and Clickjacking POC Here are th steps to reproduce the vulnerability 1.open notepad and paste the folloing code <html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p> <iframe src="https://ftp.mozilla.org" width="1247" height="800"></iframe> </body> </html> 2.save it as <anyname>.html eg test.html 3.and just simply open that..
These are intended to be public sites with directory listings, to make them easy to navigate. And since there is no private data, there's nothing to clickjack. Thank you for your submission!