Thanks Piyush, I have forwarded this email to our web development team.
I rather doubt the information is up to date, since I don't think Mercurial is used to maintain the source for the site. You will notice that the most recent referenced date in the .hg directory is around eight years go. Kind regards, Steve On Wed, Mar 25, 2020 at 11:21 AM Piyush Patil <piyushpatil...@gmail.com> wrote: > Hello Python Team, > > I have found vulnerability in your website. I hope it will help you to be > more secure. > > Mercurial metadata directory (.hg) was found in this folder. An attacker > can extract sensitive information by requesting the hidden metadata > directory that version control tool Mercurial creates. The metadata > directories are used for development purposes to keep track of development > changes to a set of source code before it is committed back to a central > repository (and vice-versa). When code is rolled to a live server from a > repository, it is supposed to be done as an export rather than as a local > working copy, and hence this problem. > > The vulnerability affects https://wiki.python.org/wiki/europython/ > > *POC *- https://wiki.python.org/wiki/europython/.hg/requires > [image: image.png] > > *The impact of this vulnerability*These files may expose sensitive > information that may help an malicious user to prepare more advanced > attacks. > > > *How to fix this vulnerability*Remove these files from production systems > or restrict access to the .hg directory. To deny access to all the .hg > folders you need to add the following lines in the appropriate context > (either global config, or vhost/directory, or from .htaccess): > <Directory ~ "\.hg"> > Order allow,deny > Deny from all > </Directory> > > > Please consider me adding to HOF as a guster that you guys care about > whitehat people. > > Thank you > _______________________________________________ > Webmaster mailing list > webmas...@python.org > https://mail.python.org/mailman/listinfo/webmaster >
_______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www
