Re: [security #15940] Security Issue Full Source Code Disclose [Critical] from Vivien Lacourba on 2022-03-11 (public-security-disclosure@w3.org from March 2022)

From: Vivien Lacourba <vivien@w3.org>
Date: Fri, 11 Mar 2022 12:08:46 +0100
To: it.tanzilkhan@gmail.com
Cc: openbugbounty@w3.org, public-security-disclosure@w3.org
Message-ID: <6b1dd25c2d5f75375acd6ca48a66f06dfcfad2e1.camel@w3.org>

Hi Tanzil,

This server is not operated by W3C.

based on teh nsames of those projects it looks like it could be by
'kbr'.

Regards,
Vivien

On Fri, 2022-03-11 at 09:12 +0000, Tanzil Khan via RT wrote:
> <https://www.w3.org/Help/Requests/Ticket/Display.html?id=15940>
>  Requestors: it.tanzilkhan@gmail.com
>         CCs: openbugbounty@w3.org, public-security-disclosure@w3.org
>    AdminCCs: 
> 
> .Hi there,
>      This is Tanzil Khan, *(Security Researcher and Bug Bounty
> Hunter)*
>   I have found an instance that is vulnerable to a miss configuration
> that
> discloses the source code of your internal services.
> 
> 
> 
> Vulnerable Instance information.
> 
> Vulnerable IP: 54.167.144.218:9000
> Vulnerable URL: http://54.167.144.218:9000/
> 
> 
> 
> Found project:
> kbr-app-demo
> kbr-bootstrap-portal
> kbr-covid19
> kbr-devsecops
> kbr-edge
> kbr-flight
> kbr-grafana
> kbr-intelligent-ticketing
> kbr-machine-learning
> kbr-portal-demo
> kbr-prognostics
> 
> 
> *POC :*
> [image: POC.png]
> Also, I have attached the source list. As for *POC.*
> 
> if you need any information please let me know. hope you guys will
> fix this
> ASAP
> let me know when you fix
> 
> 
> 
> Best regards
> Tanzil
> .Hi there,
>      This is Tanzil Khan, (Security Researcher and Bug Bounty Hunter)
>   I have found an instance that is vulnerable to a miss configuration
> that discloses the source code of your internal services. 
> 
> 
> 
> Vulnerable Instance information.
> 
> Vulnerable IP: 54.167.144.218:9000
> Vulnerable URL: http://54.167.144.218:9000/
> 
> 
> 
> Found project: 
> kbr-app-demo
> kbr-bootstrap-portal
> kbr-covid19
> kbr-devsecops
> kbr-edge
> kbr-flight
> kbr-grafana
> kbr-intelligent-ticketing
> kbr-machine-learning
> kbr-portal-demo
> kbr-prognostics
> 
> 
> POC :
> 
> Also, I have attached the source list. As for POC.
> 
> if you need any information please let me know. hope you guys will
> fix this ASAP
> let me know when you fix
> 
> 
> 
> Best regards
> Tanzil
-- 
Vivien Lacourba                      World Wide Web Consortium
vivien@w3.org                        https://www.w3.org
https://www.w3.org/People/Vivien

Received on Friday, 11 March 2022 11:08:51 UTC