piwik.org - open directoryy listing vulnerability #3588
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
c: Website matomo.org
For issues related to our matomo.org website.
Major
Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
worksforme
The issue cannot be reproduced and things work as intended.
By this vulnerability any attacker could view all files in a given web directory. This allows them to see files which might not be linked anywhere on your site, including files which may include sensitive information, such as backup script files (like index.php~ or index.php.bak), htaccess files, or text files with notes (password.txt!) &here in this website also we can access the htacess files and logs .
The other method is more dangerous. Some web servers are setup such that the web home is actually the user home, so passing in certain values in the web address can allow directory listings outside of the normally safe web folder structure. This is more dangerous since an attacker may be able to find and execute programs on your server through a web browser, potentially exploiting those programs as well.
Effected links:-
1.) http://piwik.org/wp-content/plugins/sitepress-multilingual-cms/
2.) http://piwik.org/wp-content/plugins/sitepress-multilingual-cms/res/
3.) http://piwik.org/wp-content/plugins/sitepress-multilingual-cms/res/css/
Security Risk :- If one or more directories holds a secret file, such as a password or key file, the attackers may be able to steal it. Additionally, directory traversal can sometimes allow attackers to access files outside the web root directory, leading to the stealing of system files, which can aid in other, additional attacks.
I hope this vulnerabilitiy will be patched as soon as possible.
The text was updated successfully, but these errors were encountered: