got another "security report" from someone who found a directory listing on the #curl site insisting it is an "information exposure" vulnerability
Even though the entire thing is also available in a public git repository.
Closed.
This entry was edited (2 months ago)
maswan
in reply to daniel:// stenberg:// • • •I had a rather aggressive one insisting that directory listings on mirror.accum.se was a vulnerability a couple of months ago.
And that I was exposing private information, because some files had "password" in the name, like libpam_password.x.y...
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •An unscientific search seems to indicate that more than 7% of the vulnerability reports we get in #curl concerns directory listings on the website.
That's about half the rate of the legitimate reports.
Thomas Guyot-Sionnest
in reply to daniel:// stenberg:// • • •Jonathan Yu
in reply to daniel:// stenberg:// • • •Hey the git repository is another information disclosure!
I'm assuming y'all considered getting someone like HackerOne to triage these reports for you? I'm curious why you didn't want to use them?
daniel:// stenberg://
in reply to Jonathan Yu • • •Jonathan Yu
in reply to daniel:// stenberg:// • • •Clemens aka data
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Clemens aka data • • •@datacop @metalab 😀
$ grep '\.git' .htaccess
RedirectMatch "^/.git" curl.se/dev/source.html
Clemens aka data
in reply to daniel:// stenberg:// • • •Rasmus Hansen
in reply to daniel:// stenberg:// • • •Fun story from work.
For context we do "digital asset management", aka file storage with fancy features on top.
We had a pentesting company test our product. One of the things they raised was that it was possible to make some files available without additional security. Aka like public files on a web server 🙃