yahoo-eng-team team mailing list archive

[Launchpad Bug Tracker <1369878@xxxxxxxxxxxxxxxxxx>]

[Expired for OpenStack Dashboard (Horizon) because there has been no
activity for 60 days.]

** Changed in: horizon
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1369878

Title:
  Hidden Directory Detected in Horizon

Status in OpenStack Dashboard (Horizon):
  Expired

Bug description:
  Risk:  It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site.
  Cause: The web server or application server are configured in an insecure way
  Recommend fix:  Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.
  Affected URL: https://IP_address/static/

  Difference: Path manipulated from: / to: /static/
  Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the directory, even though access is not allowed.

  Test Requests and Responses:
  GET /static/ HTTP/1.1
  Cookie: csrftoken=RYhjGotKeCLLuagINfhLc0uidiy4DTaI; sessionid=zqk46d3ypk9c46rzp35cw68sgwgh8klq
  Accept-Language: en-US
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Host: 9.5.29.52
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
  HTTP/1.1 403 Forbidden
  Date: Fri, 12 Sep 2014 04:05:08 GMT
  Server: Apache
  Vary: Accept-Encoding
  Content-Length: 269
  Content-Type: text/html; charset=iso-8859-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369878/+subscriptions