Directory Listing / Directory Indexing

Issue #433 new
Meshach M
created an issue

Description:

Hi, Hereby I would like to report Directory Listing vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 which provides an attacker with the complete index of all the resources located inside of the directory.

Technical Description:

Directory listing, as it is named, allow a user to view all the files (including source files) under a directory served by the web site. If an adversary is able to view all the files (including the source files), one can forge attacks that potentially can by-pass the security checks. This basically turns a black box into a white box from the adversary's point of view, which reduces the complexity of attack.

Vulnerability Type: Directory Listing

Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018

Affected Component:

http://127.0.0.1/zurmo/app/assets/1a4c59ce/

http://127.0.0.1/zurmo/app/assets/566eb800/

http://127.0.0.1/zurmo/app/assets/6416ba5e/

http://127.0.0.1/zurmo/app/assets/96dee418/

http://127.0.0.1/zurmo/app/assets/98a907b/

http://127.0.0.1/zurmo/app/assets/a0110a6f/

http://127.0.0.1/zurmo/app/assets/cc7cc1db/

http://127.0.0.1/zurmo/app/assets/d2ef22f2/

http://127.0.0.1/zurmo/app/assets/e07527b/

http://127.0.0.1/zurmo/app/assets/fd697b80/

Note: http://127.0.0.1/zurmo/app/assets/ itself is not vulnerable to directory listing. But the above listed are

http://127.0.0.1/zurmo/app/themes/

Including /themes/ and all links beyond are vulnerable to directory listing and that’s why they were not mentioned specifically.

Attack Vectors:

Steps to Replicate:

You can just visit all the above-mentioned links which don't even require authentication. By visiting those links anyone will be able to view the directory.

Note: Zurmo is not altered/modified in any way while subjected to testing.

Discoverer: Meshach. M

Organization: StrongBox IT

Website: http://www.strongboxit.com/

Comments (2)

  1. Log in to comment