Page MenuHomePhabricator
Create Task
Maniphest T238067

Alert group Development configuration file
Closed, InvalidPublic
Actions

Description

Web Server
Alert group Development configuration file
Severity Medium
Description
A configuration file (e.g. Vagrantfile, Gemfile, Rakefile, ...) was found in this directory. This file may
expose sensitive information that could help a malicious user to prepare more advanced attacks. It's
recommended to remove or restrict access to this type of files from production systems.
Recommendations Remove or restrict access to all configuration files acessible from internet.
Alert variants
Details
File info:
composer.lock => Composer lock file. Composer is a dependency manager for PHP.
Pattern found:
"name": "composer/installers"
GET /w/composer.lock HTTP/1.1
Connection: keep-alive
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Event Timeline

SokoteZaman created this task.Nov 12 2019, 12:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2019, 12:48 PM
revi subscribed.Nov 12 2019, 12:50 PM

You need to specify the domain name.

Reedy closed this task as Invalid.Nov 12 2019, 3:16 PM
sbassett triaged this task as Lowest priority.Nov 12 2019, 4:06 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett subscribed.Nov 12 2019, 4:12 PM

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL