Public bug reported:
Risk: It is possible to retrieve information about the site's file system
structure, which may help the attacker to map the web site.
Cause: The web server or application server are configured in an insecure way
Recommend fix: Issue a "404 - Not Found" response status code for a forbidden
resource, or remove it completely.
Affected URL: https://IP_address/static/
Difference: Path manipulated from: / to: /static/
Reasoning: The test tried to detect hidden directories on the server. The 403
Forbidden response reveals the existence of the directory, even though access
is not allowed.
Test Requests and Responses:
GET /static/ HTTP/1.1
Cookie: csrftoken=RYhjGotKeCLLuagINfhLc0uidiy4DTaI;
sessionid=zqk46d3ypk9c46rzp35cw68sgwgh8klq
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101
Firefox/24.0
HTTP/1.1 403 Forbidden
Date: Fri, 12 Sep 2014 04:05:08 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 269
Content-Type: text/html; charset=iso-8859-1
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1369878
Title:
Hidden Directory Detected in Horizon
Status in OpenStack Dashboard (Horizon):
New
Bug description:
Risk: It is possible to retrieve information about the site's file system
structure, which may help the attacker to map the web site.
Cause: The web server or application server are configured in an insecure way
Recommend fix: Issue a "404 - Not Found" response status code for a
forbidden resource, or remove it completely.
Affected URL: https://IP_address/static/
Difference: Path manipulated from: / to: /static/
Reasoning: The test tried to detect hidden directories on the server. The 403
Forbidden response reveals the existence of the directory, even though access
is not allowed.
Test Requests and Responses:
GET /static/ HTTP/1.1
Cookie: csrftoken=RYhjGotKeCLLuagINfhLc0uidiy4DTaI;
sessionid=zqk46d3ypk9c46rzp35cw68sgwgh8klq
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101
Firefox/24.0
HTTP/1.1 403 Forbidden
Date: Fri, 12 Sep 2014 04:05:08 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 269
Content-Type: text/html; charset=iso-8859-1
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369878/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
