Hidden Directory Detected in Horizon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site.
Cause: The web server or application server are configured in an insecure way
Recommend fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.
Affected URL: https:/
Difference: Path manipulated from: / to: /static/
Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the directory, even though access is not allowed.
Test Requests and Responses:
GET /static/ HTTP/1.1
Cookie: csrftoken=
Accept-Language: en-US
Accept: text/html,
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
HTTP/1.1 403 Forbidden
Date: Fri, 12 Sep 2014 04:05:08 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 269
Content-Type: text/html; charset=iso-8859-1
Please explain how knowing that /static/ is a directory under /static is a security vulnerability. Since horizon is open source, the entire structure of the /static directory is already publicly known.