Closed
Bug 820605
Opened 12 years ago
Closed 12 years ago
Open File Directroy Listing vulnerability
Categories
(Websites :: Other, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 792999
People
(Reporter: parveen1015, Unassigned)
References
()
Details
Attachments
(1 file)
By this vulnerability any attacker could view all files in a given web directory. This allows them to see files which might not be linked anywhere on your site, including files which may include sensitive information, such as backup script files (like index.php~ or index.php.bak), htaccess files, or text files with notes (password.txt!) The other method is more dangerous. Some web servers are setup such that the web home is actually the user home, so passing in certain values in the web address can allow directory listings outside of the normally safe web folder structure. This is more dangerous since an attacker may be able to find and execute programs on your server through a web browser, potentially exploiting those programs as well. Security Risk :- If one or more directories holds a secret file, such as a password or key file, the attackers may be able to steal it. Additionally, directory traversal can sometimes allow attackers to access files outside the web root directory, leading to the stealing of system files, which can aid in other, additional attacks. Effected links :- 1.) http://viewvc.svn.mozilla.org/vc/projects/services.mozilla.com/tags/production/.htaccess?view=log 2.) http://viewvc.svn.mozilla.org/vc/projects/services.mozilla.com/trunk/index.html?view=log 3.) http://viewvc.svn.mozilla.org/vc/projects/quality.mozilla.org/branches/wordpress/wp-content/plugins/feedwordpress/?pathrev=68081
Comment 1•12 years ago
|
||
This is by design and is not a vulnerability.
Group: mozilla-services-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Component: Web Site → Other
Product: Mozilla Services → Websites
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•12 years ago
|
||
hello sir, but if it is giving us .htacess and root-sum password in md5 then how it is not a vulnerability ??
Comment 3•12 years ago
|
||
If .htacess access is accessible from the world, it is a vulnerability itself. It's irrelevant to directory listing. Attackers can try to access .htaccess regardless whether directory listing is allowed.
Reporter | ||
Comment 4•12 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #3) > If .htacess access is accessible from the world, it is a vulnerability > itself. It's irrelevant to directory listing. Attackers can try to access > .htaccess regardless whether directory listing is allowed. hello Masatoshi, thanks for your response. Not only .htacess file,root pass we can acess the logs also and as i have given the proof of it also in the attachemnet photo,link ,you can take a look at those. kindly prefer it as .htacess,log acess vulnerability and take prior action toward my report.
You need to log in
before you can comment on or make changes to this bug.
Description
•