Open File Directroy Listing vulnerability

RESOLVED DUPLICATE of bug 792999

Status

RESOLVED DUPLICATE of bug 792999
6 years ago
6 years ago

People

(Reporter: parveen1015, Unassigned)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 691104 [details]
Photo of open directory listing in which .htacess and root admin folder specified by circle.

By this vulnerability any attacker could view all files in a given web directory. This allows them to see files which might not be linked anywhere on your site, including files which may include sensitive information, such as backup script files (like index.php~ or index.php.bak), htaccess files, or text files with notes (password.txt!)
The other method is more dangerous. Some web servers are setup such that the web home is actually the user home, so passing in certain values in the web address can allow directory listings outside of the normally safe web folder structure. This is more dangerous since an attacker may be able to find and execute programs on your server through a web browser, potentially exploiting those programs as well.

Security Risk :- If one or more directories holds a secret file, such as a password or key file, the attackers may be able to steal it. Additionally, directory traversal can sometimes allow attackers to access files outside the web root directory, leading to the stealing of system files, which can aid in other, additional attacks.

Effected links :- 
1.)                   http://viewvc.svn.mozilla.org/vc/projects/services.mozilla.com/tags/production/.htaccess?view=log
2.) http://viewvc.svn.mozilla.org/vc/projects/services.mozilla.com/trunk/index.html?view=log
3.) http://viewvc.svn.mozilla.org/vc/projects/quality.mozilla.org/branches/wordpress/wp-content/plugins/feedwordpress/?pathrev=68081
This is by design and is not a vulnerability.
Group: mozilla-services-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Component: Web Site → Other
Product: Mozilla Services → Websites
Resolution: --- → DUPLICATE
Duplicate of bug: 792999
(Reporter)

Comment 2

6 years ago
hello sir,
but if it is giving us .htacess and root-sum password in md5 then how it is not a vulnerability ??
If .htacess access is accessible from the world, it is a vulnerability itself. It's irrelevant to directory listing. Attackers can try to access .htaccess regardless whether directory listing is allowed.
(Reporter)

Comment 4

6 years ago
(In reply to Masatoshi Kimura [:emk] from comment #3)
> If .htacess access is accessible from the world, it is a vulnerability
> itself. It's irrelevant to directory listing. Attackers can try to access
> .htaccess regardless whether directory listing is allowed.

hello Masatoshi,
thanks for your response.
Not only .htacess file,root pass we can acess the logs also and as i have given the proof of it also in the attachemnet photo,link ,you can take a look at those. kindly prefer it as .htacess,log acess vulnerability and take prior action toward my report.
You need to log in before you can comment on or make changes to this bug.