I came across an interesting bug the other day as I was trying to think of a good example of URL hacking. I entered the URL to our company’s online time sheet (OTS) — http://192.168.4.135:8080/ots/Index.jsp — onto my favorite browser and then backspaced a bit. I hit enter when the browser was pointed to http://192.168.4.135:8080/ots/ and ta-dah… a directory listing.
Most interesting was that upon checking the contents of the folders, I came across a file with a .conf extension. That made me do a double-take. True enough, when I opened the file, it contained the DB server, username and password to our OTS. There was also a very helpful readme.txt file which cited the .conf file and the supposedly confidential information. This has been fixed though — that is, at least the access to the conf and readme files. The directory listing can still be viewed. 😛