Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFtZngtNzVmZi04bXc2
Listing of upload directory contents possible
There's an security issue in prosody-filer versions < 1.0.1 which leads to unwanted directory listings of download directories.
An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/
(or the corresponding user defined root dir)
Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.
Permalink: https://github.com/advisories/GHSA-qmfx-75ff-8mw6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFtZngtNzVmZi04bXc2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-qmfx-75ff-8mw6
References:
- https://github.com/ThomasLeister/prosody-filer/security/advisories/GHSA-qmfx-75ff-8mw6
- https://github.com/advisories/GHSA-qmfx-75ff-8mw6
Blast Radius: 1.0
Affected Packages
go:github.com/ThomasLeister/prosody-filer
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.0.1
Fixed in: 1.0.1
All affected versions: 1.0.0
All unaffected versions: 1.0.1, 1.0.2, 1.0.3