Dear Security Team,
I am a security researcher and i found out a critical file on your website that shouldn't be visible to users. Please fix this ASAP.
Vulnerable URL:
Thanks and Regards
Dear Security Team,
I am a security researcher and i found out a critical file on your website that shouldn't be visible to users. Please fix this ASAP.
Vulnerable URL:
Thanks and Regards
Considering Toolforge's goals and open access, I don't think phpinfo() output should be considered non-public there.
I'd agree. As a security best practice, it's always advisable to limit information disclosure as much as possible, even for the often minor items that phpinfo() displays. However these types of vulnerabilities are, at best, low-risk. And within the context of Wikimedia and OSS it could be argued that they aren't vulnerabilities at all.
Getting a 502 Bad Gateway for any url at timeless.wmflabs.org. I suppose that technically resolves this issue, even if it isn't really an issue :) @Isarra or another project owner for timeless.wmflabs.org - if you can provide any update here, that would be great, otherwise I'll plan to decline and make this task public soon.