Application Error Disclosure -sensitive data disclose

Shailesh Kumavat kumawatshailesh7 at gmail.com
Tue Nov 21 06:56:14 EST 2017 

Hi Sir,
  I am found some vulnerability in your site . i fount some data , email .
 Method=
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
ETag: "1713417860"
Last-Modified: Mon, 31 Mar 2014 02:55:02 GMT
Content-Length: 15472
Date: Tue, 21 Nov 2017 11:33:15 GMT
Server: lighttpd

URL=https://pidgin.im/pipermail/support/2014-March/thread.html
description= This page contains an error/warning message that may disclose
sensitive information like the location of the file that produced the
unhandled exception. This information can be used to launch further attacks
against the web application. The alert could be a false positive if the
error message is found inside a documentation page.

solution=Review the source code of this page. Implement custom error pages.
Consider implementing a mechanism to provide a unique error
reference/identifier to the client (browser) while logging the details on
the server side and not exposing them to the user.

some Information=

Hello
* Phillip Akhzar pakhzar at gmail.com
<support%40pidgin.im?Subject=Re%3A%20Hello&In-Reply-To=%3C489AE91C-A440-4C18-B47A-239F00E12D6C%40gmail.com%3E>
Mon Mar 17 16:47:56 EDT 2014 *

   - *Previous message: Hello
   <https://pidgin.im/pipermail/support/2014-March/027743.html>*
   - *Next message: Hello
   <https://pidgin.im/pipermail/support/2014-March/027745.html>*
   - *Messages sorted by: [ date ]
   <https://pidgin.im/pipermail/support/2014-March/date.html#27744> [ thread ]
   <https://pidgin.im/pipermail/support/2014-March/thread.html#27744> [
   subject ]
   <https://pidgin.im/pipermail/support/2014-March/subject.html#27744> [
   author ] <https://pidgin.im/pipermail/support/2014-March/author.html#27744>*

------------------------------

*Someone I could speak with? I'm curious about the business and
permissions it took.

Best,

Phillip

> On Mar 17, 2014, at 12:33 PM, David Woolley <forums at david-woolley.me.uk <https://pidgin.im/cgi-bin/mailman/listinfo/support>> wrote:
>
>> On 17/03/14 18:41, Phillip Akhzar wrote:
>> Was wondering about the founders of this company and how difficult something like this was to develop.
>
> I don't believe they are incorporated.
>>
>> for entrepreneurship.
> If they are incorporated, it will be as a not-for-profit.
>
*





Thanks,
Shailesh Kumavat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20171121/8282092a/attachment.html>

More information about the security mailing list