Everybody can read testlinks logs without logging in!
Same thing with the uploads directory, if your webserver allow you to browse directory you can get all uploaded documents!
Should be the same with all files that does not end with .html or .php (any files that the web server docent process).
Simple solution:
In every directory that should not be accessed by an URL put an .htaccess file there to disable access, php script can still access does directorys.
[HINT] - right webserver config to avoid Security issues
Moderators: Amaradana, TurboPT, TL Developers
Re: [HINT] - right webserver config to avoid Security issues
And we got a vulnerability!! These problems (an other) has been reported on:
http://itsecuritysolutions.org/2012-08- ... abilities/
http://www.metasploit.com/modules/explo ... pload_exec
We are going to add on distribution solution provided by GunnarD, but this will work out of the box only for APACHE (AFAIK),
this means we need to provide warning while installating
Better solution:
move OUT OF WEB SERVER accesible resources upload area and logs (this need I think no too much effort)
http://itsecuritysolutions.org/2012-08- ... abilities/
http://www.metasploit.com/modules/explo ... pload_exec
We are going to add on distribution solution provided by GunnarD, but this will work out of the box only for APACHE (AFAIK),
this means we need to provide warning while installating
Better solution:
move OUT OF WEB SERVER accesible resources upload area and logs (this need I think no too much effort)