Confidential Penetration Test Report Leak on *.mozilla.org
Categories
(Websites :: wiki.mozilla.org, task)
Tracking
(Not tracked)
People
(Reporter: sambardhankhanal, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Hello team,
I was fuzzing for files and directories at wiki.mozilla,org and I discovered that the following endpoint is hosting a confidential PDF file without any authentication restrictions:
https://wiki.mozilla.org/images/9/98/Graphite-report.pdf
- Go to the above URL
- Directly View The File in your browser
- On the top right of each page, it clearly states "Confidential"
Impact;
The exposed file is a full pentest report on secure opensource. This can give an attacker idea about previously identified vulnerabilities and come with a way to bypass it. An attacker can also circulate these files into public affecting public trust towards the platform. Finally, The file is strictly meant to be confidential but these are no authentication barrier implemented on the endpoint allowing anyone to access the confidential file. Overall, this vulnerability has high impact on confidentiality and integrity of the organization.
If you have any questions or require clarification I am happy to help,
Cheers,
Sambardhan
|
||
Updated•1 year ago
|
|
||
Comment 1•1 year ago
|
||
The Secure Open Source (SOS) program funded public audits of open source projects. While the reports were initially confidential while the issues were remediated, after an appropriate amount of time, they were published openly. A repository of them can be found https://github.com/mozilla/MOSS-Directory/tree/master/SOS_Fund_Audits
|
|
||
Updated•1 year ago
|
|
||
Updated•1 month ago
|
Description
•