Directory Listing / Directory Indexing

Issue #433 new
Meshach M
created an issue


Hi, Hereby I would like to report Directory Listing vulnerability that I have found on zurmo-stable- which provides an attacker with the complete index of all the resources located inside of the directory.

Technical Description:

Directory listing, as it is named, allow a user to view all the files (including source files) under a directory served by the web site. If an adversary is able to view all the files (including the source files), one can forge attacks that potentially can by-pass the security checks. This basically turns a black box into a white box from the adversary's point of view, which reduces the complexity of attack.

Vulnerability Type: Directory Listing

Affected Product Code Base: zurmo-stable-

Affected Component:

Note: itself is not vulnerable to directory listing. But the above listed are

Including /themes/ and all links beyond are vulnerable to directory listing and that’s why they were not mentioned specifically.

Attack Vectors:

Steps to Replicate:

You can just visit all the above-mentioned links which don't even require authentication. By visiting those links anyone will be able to view the directory.

Note: Zurmo is not altered/modified in any way while subjected to testing.

Discoverer: Meshach. M

Organization: StrongBox IT


Comments (2)

  1. Log in to comment