Closed Bug 567772 Opened 15 years ago Closed 15 years ago

Email Harvesting Possible from Public Job Files

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:access])

Issue Completed jobs are publicly viewable to unauthenticated users. An attacker could create a script that would systematically attempt to enumerate valid job IDs by incrementing through the name space of the job identifiers. For each valid job identifier the attacker could extract the username (email address) and use this for brute force attacks or to target the user with phishing or spam emails. The overall risk of this issue is low due to the low likelihood of an attack since a relatively large space of potential job IDs would need to be enumerated for a relatively low payoff (i.e. just obtaining the email address). Example URL: http://dm-sixgill01.mozilla.org/scripts/jobs/HXONSPMEZW.job Recommended Remediation If possible completely restrict access to the .job files. If access is required then ensure the user is authenticated before they are able to view the job file.
Hi, the .job files don't need to be publically accessible, I modified the .htaccess files on the server to make them inaccessible.
Looks good to me. Marking this one fixed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.