DIRECTORY LISTING IMFORMATION DISCLOSURE BUG FOUND

Prasanna Dash prasannadash1789 at gmail.com
Fri Oct 13 01:22:42 EDT 2017


Dear sir/mam,

i have found a directory listing bug in the particular url:
https://pidgin.im/shared/
https://pidgin.im/shared/css/
https://pidgin.im/shared/img/
https://pidgin.im/shared/js/
https://pidgin.im/shared/403.php
https://pidgin.im/shared/404.php

SECURITY IMPACT:

An attacker can see the files located in the directory and could
potentially access files which disclose sensitive information.


ACTIONS TO TAKE :

1.Change your lighttpd.conf file. A secure configuration for the requested
directory should be similar to the following:
dir-listing.activate = "disable"

2.Configure the web server to disallow directory listing requests.
3.Ensure that the latest security patches have been applied to the web
server and the current stable version of the software is in use.


HTTP REQUEST SENT :
GET /shared/ HTTP/1.1
Host: pidgin.im
Cache-Control: no-cache
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate



please patch this vulnerability as soon as possible.

thanking you,
PRASANNA DASH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20171013/03c14682/attachment.html>


More information about the security mailing list