← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #21295

[Bug 1369878] [NEW] Hidden Directory Detected in Horizon

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Risk:  It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site.
Cause: The web server or application server are configured in an insecure way
Recommend fix:  Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.
Affected URL: https://IP_address/static/

Difference: Path manipulated from: / to: /static/
Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the directory, even though access is not allowed.

Test Requests and Responses:
GET /static/ HTTP/1.1
Cookie: csrftoken=RYhjGotKeCLLuagINfhLc0uidiy4DTaI; sessionid=zqk46d3ypk9c46rzp35cw68sgwgh8klq
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
HTTP/1.1 403 Forbidden
Date: Fri, 12 Sep 2014 04:05:08 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 269
Content-Type: text/html; charset=iso-8859-1

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1369878

Title:
  Hidden Directory Detected in Horizon

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Risk:  It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site.
  Cause: The web server or application server are configured in an insecure way
  Recommend fix:  Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.
  Affected URL: https://IP_address/static/

  Difference: Path manipulated from: / to: /static/
  Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the directory, even though access is not allowed.

  Test Requests and Responses:
  GET /static/ HTTP/1.1
  Cookie: csrftoken=RYhjGotKeCLLuagINfhLc0uidiy4DTaI; sessionid=zqk46d3ypk9c46rzp35cw68sgwgh8klq
  Accept-Language: en-US
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Host: 9.5.29.52
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
  HTTP/1.1 403 Forbidden
  Date: Fri, 12 Sep 2014 04:05:08 GMT
  Server: Apache
  Vary: Accept-Encoding
  Content-Length: 269
  Content-Type: text/html; charset=iso-8859-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369878/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next