Page MenuHomePhabricator
Create Task
Maniphest T238078

Alert group Documentation file
Closed, InvalidPublic
Actions

Description

/w/README
Severity Low
Alert group Documentation file
Description
A documentation file (e.g. readme.txt, changelog.txt, ...) was found in this directory. The information
contained in these files could help an attacker identify the web application you are using and
sometimes the version of the application. It's recommended to remove these files from production
systems.
Recommendations Remove or restrict access to all documentation file acessible from internet.
Alert variants
Details
File contents (first 250 characters):

MediaWiki

MediaWiki is a free and open-source wiki software package written in PHP.
It
serves as the platform for Wikipedia and the other Wikimedia projects, use
d
by hundreds of millions of people each month. MediaWiki is localised in ov
er
350 ...
GET /w/README HTTP/1.1
Connection: keep-alive
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Event Timeline

SokoteZaman created this task.Nov 12 2019, 12:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2019, 12:59 PM
Reedy closed this task as Declined.Nov 12 2019, 3:15 PM
sbassett changed the task status from Declined to Invalid.Nov 12 2019, 4:45 PM
sbassett triaged this task as Lowest priority.
sbassett moved this task from Backlog / Other to Done on the acl*security board.
sbassett subscribed.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 12 2019, 4:45 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL