[steemhunt.com] .DS_Store file is publicly available to anyone.

in #utopian-io6 years ago

Project Information

Repository: https://github.com/Steemhunt/web
Platform: https://steemhunt.com

Expected Behaviour

.DS_Store file should be a hidden file and on calling it 403 Forbidden should be showed.

Actual Behaviour

.DS_Store file is visible publicly.

How to reproduce

  1. Visit https://steemhunt.com/.DS_Store and download file locally.

  2. In terminal use the following commnad to view the contents of DS_store file.

xxd -p path/to/.DS_Store | sed 's/00//g' | tr -d '\n' | sed 's/\([0-9A-F]\{2\}\)/0x\1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'

steemhunt_dsstore.png

Impact

Though website does not host any crtical file now, but due to DS_store file one can download and view all files on the website.

Github Details

Github profile
Issue#224

Sort:  

Hey,

I see in you github report, you have mentioned browser and OS as any. Its not where the issue is happening, its what you used to test your bug.

Also when you say, you can download all the files, you can download those anyways, this is a opensource project, you can look at the code and make whatever change you want. Question is can you deploy it to thr server without their permission?

Thanks for the suggestion, I pointed out here that though the code does'nt have any crtical files right now. But in Future may be some API-Keys might be used, for ex: AWS etc that with this public one can download the config files easily and may use it maliciously.

I will fix my Github issue regarding OS and Browser. Feel free to ask any question you may have

Thanks.

Congratulations @neutrinoguy! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

You published your First Post
You made your First Comment
You got a First Vote
You got a First Reply
Award for the number of upvotes received

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - Russia vs Croatia


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Hi @neutrinoguy,
Welcome to Utopian. It's great reading your first post here, you show someone with high caliber and a lot of experience. we hope you take a look at some of our whitelisted projects and help make FOSS projects more secure.

  • Thank you for stating the impact
  • You could propose the fix in PR
  • It looks like they went with full removal instead of 403 forbidden

Note:- small change PR's are okay in this category as well and we appreciate them. large code additions go straight to development category.

Thank you for participating in the project.

Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.

To view those questions and the relevant answers related to your post, click here.


Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]

Hey @neutrinoguy
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!

Want to chat? Join us on Discord https://discord.gg/h52nFrV.

Vote for Utopian Witness!