search

zurmo / Zurmo

GNU Affero General Public License v3.0
101 stars 41 forks source link

Directory Listing / Directory Indexing #11

Open meshach007m opened 7 years ago

meshach007m commented 7 years ago

Description: Hi, Hereby I would like to report Directory Listing vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 which provides an attacker with the complete index of all the resources located inside of the directory.

Technical Description: Directory listing, as it is named, allow a user to view all the files (including source files) under a directory served by the web site. If an adversary is able to view all the files (including the source files), one can forge attacks that potentially can by-pass the security checks. This basically turns a black box into a white box from the adversary's point of view, which reduces the complexity of attack.

Vulnerability Type: Directory Listing

Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018

Affected Component: http://127.0.0.1/zurmo/app/assets/1a4c59ce/ http://127.0.0.1/zurmo/app/assets/566eb800/ http://127.0.0.1/zurmo/app/assets/6416ba5e/ http://127.0.0.1/zurmo/app/assets/96dee418/ http://127.0.0.1/zurmo/app/assets/98a907b/ http://127.0.0.1/zurmo/app/assets/a0110a6f/ http://127.0.0.1/zurmo/app/assets/cc7cc1db/ http://127.0.0.1/zurmo/app/assets/d2ef22f2/ http://127.0.0.1/zurmo/app/assets/e07527b/ http://127.0.0.1/zurmo/app/assets/fd697b80/ Note: http://127.0.0.1/zurmo/app/assets/ itself is not vulnerable to directory listing. But the above listed are.

http://127.0.0.1/zurmo/app/themes/ Including /themes/ and all links beyond are vulnerable to directory listing and that’s why they were not mentioned specifically.

Attack Vectors: Steps to Replicate: You can just visit all the above-mentioned links which don't even require authentication. By visiting those links anyone will be able to view the directory. Note: Zurmo is not altered/modified in any way while subjected to testing.

Discoverer: Meshach. M Organization: StrongBox IT Website: http://www.strongboxit.com/

attritionorg commented 7 years ago

Is there a way to see sub-directories under /app/assets? If not then it would require brute-forcing those directory names it looks like. What files are found in the assets sub-directories?

meshach007m commented 7 years ago

Hi, Below I have given you the detailed description about the files and directories found under assets sub-directory.

Index of /zurmo/app/assets/1a4c59ce

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[ ] ReportUtils.js 2017-09-12 12:32 3.0K

Index of /zurmo/app/assets/566eb800

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[ ] ZurmoGamificationSym..> 2017-07-17 15:52 493K
[ ] ZurmoGamificationSym..> 2017-07-17 15:52 51K
[IMG] font-squirrel-settin..> 2017-07-17 15:52 98K
[TXT] generator_config.txt 2017-07-17 15:52 569
[ ] zurmogamificationsym..> 2017-07-17 15:52 48K
[IMG] zurmogamificationsym..> 2017-07-17 15:52 141K
[ ] zurmogamificationsym..> 2017-07-17 15:52 86K
[ ] zurmogamificationsym..> 2017-07-17 15:52 55K

Index of /zurmo/app/assets/6416ba5e

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[TXT] jquery-ui-timepicker..> 2017-07-24 13:06 463
[ ] jquery-ui-timepicker..> 2017-07-24 13:06 70K
[ ] jquery-ui-timepicker..> 2017-07-24 13:06 37K

Index of /zurmo/app/assets/96dee418

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[DIR] autocomplete/ 2017-07-17 15:52 -
[ ] jquery-migrate-1.3.0..> 2017-07-17 15:52 9.2K
[ ] jquery.ajaxqueue.js 2017-07-17 15:52 2.9K
[ ] jquery.autocomplete.js 2017-07-17 15:52 21K
[ ] jquery.ba-bbq.js 2017-07-17 15:52 52K
[ ] jquery.ba-bbq.min.js 2017-07-17 15:52 4.7K
[ ] jquery.bgiframe.js 2017-07-17 15:52 2.5K
[ ] jquery.cookie.js 2017-07-17 15:52 3.8K
[ ] jquery.history.js 2017-07-17 15:52 15K
[ ] jquery.js 2017-07-17 15:52 276K
[ ] jquery.maskedinput.js 2017-07-17 15:52 7.3K
[ ] jquery.maskedinput.m..> 2017-07-17 15:52 3.5K
[ ] jquery.metadata.js 2017-07-17 15:52 4.9K
[ ] jquery.min.js 2017-07-17 15:52 94K
[ ] jquery.multifile.js 2017-07-17 15:52 20K
[ ] jquery.rating.js 2017-07-17 15:52 14K
[ ] jquery.treeview.asyn..> 2017-07-17 15:52 2.9K
[ ] jquery.treeview.edit.js 2017-07-17 15:52 1.5K
[ ] jquery.treeview.js 2017-07-17 15:52 8.0K
[ ] jquery.yii.js 2017-07-17 15:52 1.1K
[ ] jquery.yiiactiveform.js 2017-07-17 15:52 15K
[ ] jquery.yiitab.js 2017-07-17 15:52 1.1K
[DIR] jui/ 2017-07-17 15:52 -
[ ] punycode.js 2017-07-17 15:52 14K
[ ] punycode.min.js 2017-07-17 15:52 2.7K
[DIR] rating/ 2017-07-17 15:52 -
[DIR] treeview/ 2017-07-17 15:52 -
[DIR] yiitab/ 2017-07-17 15:52 -

Index of /zurmo/app/assets/98a907b

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[DIR] amChart/ 2017-07-24 12:41 -
[DIR] calendar/ 2017-07-24 12:41 -
[DIR] colorPicker/ 2017-07-24 12:41 -
[DIR] designer/ 2017-07-24 12:41 -
[DIR] extendedGridView/ 2017-07-24 12:41 -
[DIR] fileUpload/ 2017-07-24 12:41 -
[DIR] fullCalendar/ 2017-07-24 12:41 -
[DIR] jnotify/ 2017-07-24 12:41 -
[DIR] juiMultiSelect/ 2017-07-24 12:41 -
[DIR] juiportlets/ 2017-07-24 12:41 -
[DIR] mentionInput/ 2017-07-24 12:41 -
[DIR] orgChart/ 2017-07-24 12:41 -
[DIR] redactor/ 2017-07-24 12:41 -
[DIR] rssReader/ 2017-07-24 12:41 -
[DIR] sessionTimeout/ 2017-07-24 12:41 -
[DIR] treeView/ 2017-07-24 12:41 -

Index of /zurmo/app/assets/a0110a6f

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[DIR] css/ 2017-07-24 13:06 -
[ ] jquery.tokeninput.js 2017-07-24 13:06 29K

Index of /zurmo/app/assets/cc7cc1db

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[DIR] audio/ 2017-07-24 13:05 -
[ ] gamification-dashboa..> 2017-07-24 13:05 3.5K
[ ] jquery.animateSprite.js 2017-07-24 13:05 4.1K

Index of /zurmo/app/assets/d2ef22f2

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[ ] DropDownDependencyMa..> 2017-07-24 12:42 4.5K
[ ] Modal.js 2017-07-24 12:42 201
[ ] SelectInputUtils.js 2017-07-24 12:42 1.3K

Index of /zurmo/app/assets/e07527b

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[ ] CalendarsUtil.js 2017-09-12 11:27 4.2K
[TXT] calendar.css 2017-09-12 11:27 1.7K

Index of /zurmo/app/assets/fd697b80

[ICO] Name Last modified Size Description [PARENTDIR] Parent Directory -
[ ] FormUtils.js 2017-07-17 15:52 5.3K
[ ] ListViewUtils.js 2017-07-17 15:52 4.1K
[ ] StickyUtils.jquery.js 2017-07-17 15:52 2.9K
[ ] ZurmoDialog.js 2017-07-17 15:52 4.0K
[ ] dropDownInteractions.js 2017-07-17 15:51 2.0K
[ ] dynamicSearchViewUti..> 2017-07-17 15:51 3.5K
[DIR] fonts/ 2017-07-17 15:52 -
[ ] interactions.js 2017-07-17 15:52 31K
[ ] jquery.truncateText.js 2017-07-17 15:52 26K
[ ] less-1.2.0.min.js 2017-07-17 15:52 147K
[ ] mobile-interactions.js 2017-07-17 15:52 2.8K
[ ] renderExternalForm.js 2017-07-17 15:52 7.8K