Web Server
Alert group Development configuration file
Severity Medium
Description
A configuration file (e.g. Vagrantfile, Gemfile, Rakefile, ...) was found in this directory. This file may
expose sensitive information that could help a malicious user to prepare more advanced attacks. It's
recommended to remove or restrict access to this type of files from production systems.
Recommendations Remove or restrict access to all configuration files acessible from internet.
Alert variants
Details
File info:
composer.lock => Composer lock file. Composer is a dependency manager for PHP.
Pattern found:
"name": "composer/installers"
GET /w/composer.lock HTTP/1.1
Connection: keep-alive
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Description
Description
Event Timeline
Comment Actions
Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.