Security fail

I came across an interesting bug the other day as I was trying to think of a good example of URL hacking. I entered the URL to our company’s online time sheet (OTS) http://192.168.4.135:8080/ots/Index.jsp onto my favorite browser and then backspaced a bit. I hit enter when the browser was pointed to http://192.168.4.135:8080/ots/ and ta-dah… a directory listing.

security_fail

Most interesting was that upon checking the contents of the folders, I came across a file with a .conf extension.  That made me do a double-take.  True enough, when I opened the file, it contained the DB server, username and password to our OTS. There was also a very helpful readme.txt file which cited the .conf file and the supposedly confidential information.  This has been fixed though that is, at least the access to the conf and readme files.  The directory listing can still be viewed. 😛

Advertisements

One thought on “Security fail

  1. Pingback: Always on time « testkeis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s