Opened 3 years ago

Closed 3 years ago

#17969 closed defect (invalid)

Directory Listing. [https://torproject.org/]

Reported by: Dhiraj Owned by: Sebastian
Priority: High Milestone: WebsiteV3
Component: Webpages/Website Version:
Severity: Normal Keywords: Directory lsiting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A misconfigured server can show a directory listing, which could potentially yield sensitive information to an attacker.

Read More at : http://cwe.mitre.org/data/definitions/548.html
and
https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Directory_Indexing

The Website https://torproject.org have a Vulnerability of Directory Listing Which may Loss Some Certain DATA and the Data may Loss to the Attacker.
Directory Listing is not Much Vulnerable But Information may Be loss and if the Attacker Try to Tunnel Some Directory so that Information May Leak to which is
Critical.

Exmaple :
https://torproject.org/js/
https://torproject.org/css/
https://torproject.org/docs/
https://torproject.org/images/
https://torproject.org/include/

This All are Visible to the Normal User which is not good fro the Respective Org.
The Hard-Work of Developer for Writing the CSS or JS is wasted.

Rather than That
https://torproject.org/cgi-bin/
https://torproject.org/server-status/

But if Attacker Try to tunnel this respective Websites he/she will be able to grab the Details of the Website.
It can Play Major Vulnerability and a normal Vulnerability to.

For Patching : The Developer just have to host a File to the Server Which is .htaccess
This File will Restrict all the Directory to a Normal User or a Web-Surfer and if Attacker try to Tunnel it he/she will Grab Nothing.

Please Patch it Soon.

ThankYou
Dhiraj Mishra.

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by nickm

These contents are not sensitive as far as I know, are they?

The source to our website is publicly maintained, freely available at https://gitweb.torproject.org/project/web/webwml.git/ , non-proprietary, and licensed (except where otherwise noted) under a creative-commons sharealike license: see https://www.torproject.org/docs/trademark-faq.html.en .

Website admins, is there an actual issue here, or is this just a matter of somebody assuming that all websites are proprietary?

comment:2 in reply to:  1 Changed 3 years ago by Dhiraj

Replying to nickm:

These contents are not sensitive as far as I know, are they?

The source to our website is publicly maintained, freely available at https://gitweb.torproject.org/project/web/webwml.git/ , non-proprietary, and licensed (except where otherwise noted) under a creative-commons sharealike license: see https://www.torproject.org/docs/trademark-faq.html.en .

Website admins, is there an actual issue here, or is this just a matter of somebody assuming that all websites are proprietary?

Hello Nickm
If the Website things are Publicly Available to it Doesn't Matter.
Directory Listing is not kindness to the Respective Org , As far i Know Tor is a Well know Org.
It may Not Concern to the Big Vulnerability.
But Sir I may Request Please Patch it , All we need is Just .ht-access file to the Server.
There Will be No Harm anywhere , I just Wanna Support the Respective Org.
Thank You Sir Please have a look Again.

Regards
Dhiraj Mishra

comment:3 Changed 3 years ago by Dhiraj

Cc: Dhiraj added
Priority: MediumHigh

comment:4 Changed 3 years ago by Dhiraj

Cc: Dhiraj removed
Milestone: Tor Website 3.0

comment:5 Changed 3 years ago by Sebastian

Resolution: invalid
Status: newclosed

This is not a vulnerability in our case. As Nick pointed out, all the sources are publicly visible. I don't understand the point about dir listings not being a kindness to Tor.

Note: See TracTickets for help on using tickets.