(This post was originally posted in my own personal blog)
During my current research I have found some default files that some web frameworks includes into their installations that can compromise the security of a website. It also can allow an attacker to determine which framework a web page is using.
The first of these files is from the symfony framework. They offer to the developers a useful script called frontend_dev.php which show internal information about the current install and the server. As you can see in the following screenshot the information can be very useful…
It’s deactivated by default and can be activated changing the “lib\config\config\settings.yml” file:
Moreover another default files that I found researching into the default Zend Server installation are the alias /server-info and /server-status. These are part of the mod_info module and, hopefully, in Zend Server, are configured to be access only from localhost:
I have found that these default files are not include in the wordlist of wfuzz or even Wikto. I don’t know why are they ignoring these files, but I’m going to add these to my default dictionaries files :)
Cheers!
The first of these files is from the symfony framework. They offer to the developers a useful script called frontend_dev.php which show internal information about the current install and the server. As you can see in the following screenshot the information can be very useful…
It’s deactivated by default and can be activated changing the “lib\config\config\settings.yml” file:
# Logging and debugging settingsBy default the framework is configure not to show the toolbar, but a lot of web pages (indexed by Google) have activate it and allow to any user to read the private data of their websites.
web_debug: false # Enable the web debug toolbar
Moreover another default files that I found researching into the default Zend Server installation are the alias /server-info and /server-status. These are part of the mod_info module and, hopefully, in Zend Server, are configured to be access only from localhost:
<Location>This is a secure default configuration that other domains using this Apache module should adopt for the security of their web pages. This is a problem discussed sometimes ago with the revelation of the /server-status file in twitter.com. It’s also known that other servers like Apache.org are offering his status and his info, but you can also found a lot of websites sharing their server-status and server-info pages.
SetHandler server-info
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
<Location>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
I have found that these default files are not include in the wordlist of wfuzz or even Wikto. I don’t know why are they ignoring these files, but I’m going to add these to my default dictionaries files :)
Cheers!
Posts
0 comments:
Post a Comment