Closed Bug 1783721 Opened 2 years ago Closed 2 years ago

Information Exposure Through Directory Listing in https://ftp.mozilla.org/

Categories

(Websites :: Other, task)

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: thisboycanhacktoo, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Hello MOZILLA Security team,
I'm Aniket Shrungare

VULNERABILITY: Information Exposure Through Directory Listing

Vulnerable url:
https://ftp.mozilla.org/pub/

Vulnerability description:
The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site.

The impact of this vulnerability:
A user can view a list of all files from this directory possibly exposing sensitive information.

How to fix this vulnerability:
You should make sure the directory does not contain sensitive information or you may want to restrict directory listings from the web server configuration.

NOTE: SCREENSHOTS OF POC IS ATTACHED BELOW !!

Regards,
Aniket Shrungare

Flags: sec-bounty?

The /pub/ directory on the FTP server is mean to be public (pub is short for public). Directory listing is desired.

Thank you for the report though, because as you say, in other instances, if this were unintentional, it could reveal sensitive information.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
Group: websites-security
Blocks: 1830029
You need to log in before you can comment on or make changes to this bug.