[tor-bugs] #17969 [Website]: Directory Listing. [https://torproject.org/]

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 31 14:49:17 UTC 2015


#17969: Directory Listing. [https://torproject.org/]
-------------------------+-------------------------------
     Reporter:  Dhiraj   |      Owner:  Sebastian
         Type:  defect   |     Status:  new
     Priority:  Medium   |  Milestone:
    Component:  Website  |    Version:
     Severity:  Normal   |   Keywords:  Directory lsiting
Actual Points:           |  Parent ID:
       Points:           |    Sponsor:
-------------------------+-------------------------------
 '''A misconfigured server can show a directory listing, which could
 potentially yield sensitive information to an attacker.'''

 Read More at : http://cwe.mitre.org/data/definitions/548.html
 and
 https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-
 _Directory_Indexing

 The Website https://torproject.org have a Vulnerability of ''Directory
 Listing'' Which may Loss Some Certain DATA and the Data may Loss to the
 Attacker.
 Directory Listing is not Much Vulnerable But Information may Be loss and
 if the Attacker Try to Tunnel Some Directory so that Information May Leak
 to which is
 Critical.

 Exmaple :
 https://torproject.org/js/
 https://torproject.org/css/
 https://torproject.org/docs/
 https://torproject.org/images/
 https://torproject.org/include/

 This All are Visible to the Normal User which is not good fro the
 Respective Org.
 The Hard-Work of Developer for Writing the CSS or JS is wasted.

 Rather than That
 https://torproject.org/cgi-bin/
 https://torproject.org/server-status/

 But if Attacker Try to tunnel this respective Websites he/she will be able
 to grab the Details of the Website.
 It can Play Major Vulnerability and a normal Vulnerability to.

 For Patching : The Developer just have to host a File to the Server Which
 is '''.htaccess'''
 This File will Restrict all the Directory to a Normal User or a Web-Surfer
 and if Attacker try to Tunnel it he/she will Grab Nothing.

 Please Patch it Soon.

 ThankYou
 Dhiraj Mishra.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17969>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list