Directory Listing on openbsd.org

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Directory Listing on openbsd.org

Sohail Shaikh
Dear,
Security Team,
              I am a Security researcher and I found a Directory Listing on
your website http://www.openbsd.org
       Issue description

Web servers can be configured to automatically list the contents of
directories that do not have an index page present. This can aid an
attacker by enabling them to quickly identify the resources at a given
path, and proceed directly to analyzing and attacking those resources. It
particularly increases the exposure of sensitive files within the directory
that are not intended to be accessible to users, such as temporary files
and crash dumps.

Directory listings themselves do not necessarily constitute a security
vulnerability. Any sensitive resources within the web root should in any
case be properly access-controlled, and should not be accessible by an
unauthorized party who happens to know or guess the URL. Even when
directory listings are disabled, an attacker may guess the location of
sensitive files using automated tools.


       Issue remediation

There is not usually any good reason to provide directory listings, and
disabling them may place additional hurdles in the path of an attacker.
This can normally be achieved in two ways:


   - Configure your web server to prevent directory listings for all paths
   beneath the web root;
   - Place into each directory a default file (such as index.htm) that the
   web server will display instead of returning a directory listing


The Vulnerable URL:

http://www.openbsd.org/CVS/

--
[image: Logo]
Sohail Shaikh
email: [hidden email]
          [hidden email]
[image: Facebook icon] <https://www.facebook.com/ROOTxDEAD>  [image:
LinkedIn icon] <https://www.linkedin.com/in/rootxdead/>  [image: Twitter
icon] <https://twitter.com/ROOTxDEAD>
Certified Ethical Hacker
Certified Penetration Tester
Certificate ID: 1410700

1.PNG (38K) Download Attachment
2.PNG (108K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Directory Listing on openbsd.org

Ingo Schwarze
Hi,

[irrelevant Cc:s trimmed]

Sohail Shaikh wrote on Mon, Aug 05, 2019 at 01:47:27AM +0530:

> I am a Security researcher and I found a Directory Listing on
> your website http://www.openbsd.org
>
> The Vulnerable URL:
>
> http://www.openbsd.org/CVS/

There is no issue whatsoever.  The directory in question does not
contain any secret content, and never possibly can.

Besides, when reporting bugs, refrain from including long-winded
explanations of generalities.  Just explain the actual issue
concisely, and don't forget to state why it is an issue *in the
specific case at hand*, which you failed to say here - and which
it actually isn't.

Yours,
  Ingo