Skip to main content

got another "security report" from someone who found a directory listing on the #curl site insisting it is an "information exposure" vulnerability

Even though the entire thing is also available in a public git repository.

Closed.

#curl
This entry was edited (1 week ago)
in reply to daniel:// stenberg://

maswan
maswan

I had a rather aggressive one insisting that directory listings on mirror.accum.se was a vulnerability a couple of months ago.

And that I was exposing private information, because some files had "password" in the name, like libpam_password.x.y...

in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

An unscientific search seems to indicate that more than 7% of the vulnerability reports we get in #curl concerns directory listings on the website.

That's about half the rate of the legitimate reports.

#curl
in reply to daniel:// stenberg://

Thomas Guyot-Sionnest
Thomas Guyot-Sionnest
change the banner with a huge title: "This is not an information disclosure vulnerability. Reporters will be prosecuted for harassment".
in reply to daniel:// stenberg://

Jonathan Yu
Jonathan Yu

Hey the git repository is another information disclosure!

I'm assuming y'all considered getting someone like HackerOne to triage these reports for you? I'm curious why you didn't want to use them?

in reply to Jonathan Yu

daniel:// stenberg://
daniel:// stenberg://
@jawnsy 1. we are using hackerone. 2. closing one of these silly things takes like 3 seconds of my time. Not a bother.
@Jonathan Yu
in reply to daniel:// stenberg://

Jonathan Yu
Jonathan Yu
Ah, I thought they would triage the silly ones for you? Guess not 😀
in reply to daniel:// stenberg://

Clemens aka data
Clemens aka data
we regularly got those reports at @metalab, because they were usually quite annoying we're now redirecting /.git to the repository's website...
@metalab
in reply to daniel:// stenberg://

Clemens aka data
Clemens aka data
@metalab nice, we haven't had any reports since, but I guess we're also not really a target for those "specialists" ;)
@metalab
in reply to daniel:// stenberg://

Rasmus Hansen
Rasmus Hansen

Fun story from work.

For context we do "digital asset management", aka file storage with fancy features on top.

We had a pentesting company test our product. One of the things they raised was that it was possible to make some files available without additional security. Aka like public files on a web server 🙃