Public bug reported: Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site. Cause: The web server or application server are configured in an insecure way Recommend fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely. Affected URL: https://IP_address/static/
Difference: Path manipulated from: / to: /static/ Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the directory, even though access is not allowed. Test Requests and Responses: GET /static/ HTTP/1.1 Cookie: csrftoken=RYhjGotKeCLLuagINfhLc0uidiy4DTaI; sessionid=zqk46d3ypk9c46rzp35cw68sgwgh8klq Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Host: 9.5.29.52 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 HTTP/1.1 403 Forbidden Date: Fri, 12 Sep 2014 04:05:08 GMT Server: Apache Vary: Accept-Encoding Content-Length: 269 Content-Type: text/html; charset=iso-8859-1 ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1369878 Title: Hidden Directory Detected in Horizon Status in OpenStack Dashboard (Horizon): New Bug description: Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site. Cause: The web server or application server are configured in an insecure way Recommend fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely. Affected URL: https://IP_address/static/ Difference: Path manipulated from: / to: /static/ Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the directory, even though access is not allowed. Test Requests and Responses: GET /static/ HTTP/1.1 Cookie: csrftoken=RYhjGotKeCLLuagINfhLc0uidiy4DTaI; sessionid=zqk46d3ypk9c46rzp35cw68sgwgh8klq Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Host: 9.5.29.52 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 HTTP/1.1 403 Forbidden Date: Fri, 12 Sep 2014 04:05:08 GMT Server: Apache Vary: Accept-Encoding Content-Length: 269 Content-Type: text/html; charset=iso-8859-1 To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1369878/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp