Page MenuHomePhabricator

Alert group Development configuration file
Closed, InvalidPublic

Description

Web Server
Alert group Development configuration file
Severity Medium
Description
A configuration file (e.g. Vagrantfile, Gemfile, Rakefile, ...) was found in this directory. This file may
expose sensitive information that could help a malicious user to prepare more advanced attacks. It's
recommended to remove or restrict access to this type of files from production systems.
Recommendations Remove or restrict access to all configuration files acessible from internet.
Alert variants
Details
File info:
composer.lock => Composer lock file. Composer is a dependency manager for PHP.
Pattern found:
"name": "composer/installers"
GET /w/composer.lock HTTP/1.1
Connection: keep-alive
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2019, 12:48 PM
revi added a subscriber: revi.Nov 12 2019, 12:50 PM

You need to specify the domain name.

Reedy closed this task as Invalid.Nov 12 2019, 3:16 PM
sbassett triaged this task as Lowest priority.Nov 12 2019, 4:06 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.