You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Severity: MediumDiscovered: 28 of February-2022, 02:06 PM
CWE ID
CWE-200
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
Full Path Disclosure (FPD) vulnerabilities enable an attacker to see the path to a webroot/file.
Certain vulnerabilities require the attacker to get the full path to the file that they wish to view.
For example, when using a load_file() query (within a SQL Injection) to view the page source.
Detected webroot/file is:
• /var/www/
Detected system is:
• linux
Found in URL:
• https://brokencrystals.com/api/config
Detected that a new fake cookie(s) was added with the same name, but with a different value appended to the end of the cookie(s):
Original cookie:
• CGIC=; 1P_JAR=2022-02-28-13; NID=511=ER9pK9QjKoZ6Uke2LvnZdQMkGC6Tcf1gzB0oLEC7iOsRCDp-rLZ_jR7PDM3aJ3FHGVVCCz6khR5Pd5EXzlxOrIfkbE6hTaR4A3zqzanSWZC3yYO_JJiIzDrd5LBamFjxsxRcXUg1Nru-sHpb2yGk2wMmG-6xD-utJa3Rkec96TGNPQvG1VpxB-dT-SW3iFOiwl0YX7OIkeQpeMDKGIr2FLcmVKlxl-KJ4evJQ0ugj1Y9bGrojTxanJ-qDV9s1lTzNflWW1xcEQzEN8KiVh-2RpuxPUd3MfnInRC121EMQayt_Oj-2ZehAwmDP8LIBX3iYTT7; bc-calls-counter=2; connect.sid=2foCp7mAieXzl9wIKNOwhxoOzENZmxz8.B%2FBbzNffqR6uTKMjenRru7uekHndqeEgdAfnLNRtVSg
New cookie:
• CGIC=; 1P_JAR=2022-02-28-13; NID=511=ER9pK9QjKoZ6Uke2LvnZdQMkGC6Tcf1gzB0oLEC7iOsRCDp-rLZ_jR7PDM3aJ3FHGVVCCz6khR5Pd5EXzlxOrIfkbE6hTaR4A3zqzanSWZC3yYO_JJiIzDrd5LBamFjxsxRcXUg1Nru-sHpb2yGk2wMmG-6xD-utJa3Rkec96TGNPQvG1VpxB-dT-SW3iFOiwl0YX7OIkeQpeMDKGIr2FLcmVKlxl-KJ4evJQ0ugj1Y9bGrojTxanJ-qDV9s1lTzNflWW1xcEQzEN8KiVh-2RpuxPUd3MfnInRC121EMQayt_Oj-2ZehAwmDP8LIBX3iYTT7; bc-calls-counter=2; connect.sid=2foCp7mAieXzl9wIKNOwhxoOzENZmxz8.B%2FBbzNffqR6uTKMjenRru7uekHndqeEgdAfnLNRtVSg; bc-calls-counter=.
Cookie that is added:
• bc-calls-counter=.
Cookie key is:
• bc-calls-counter
Token is:
• .
Possible exposure
Read Application Data, Access to Privileged Information
Remediation suggestions
To fix this vulnerability –
• Disable debug information in the web server’s configuration.
• Improve the error handling and parsing of cookies in the relevant code paths, so that exceptions and/or errors will not leak internal information.
Full Path Disclosure
Severity:
MediumDiscovered:28 of February-2022, 02:06 PMCWE ID
CWE-200
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
Full Path Disclosure (FPD) vulnerabilities enable an attacker to see the path to a webroot/file.
Certain vulnerabilities require the attacker to get the full path to the file that they wish to view.
For example, when using a load_file() query (within a SQL Injection) to view the page source.
Detected webroot/file is:
• /var/www/
Detected system is:
• linux
Found in URL:
• https://brokencrystals.com/api/config
Detected that a new fake cookie(s) was added with the same name, but with a different value appended to the end of the cookie(s):
Original cookie:
• CGIC=; 1P_JAR=2022-02-28-13; NID=511=ER9pK9QjKoZ6Uke2LvnZdQMkGC6Tcf1gzB0oLEC7iOsRCDp-rLZ_jR7PDM3aJ3FHGVVCCz6khR5Pd5EXzlxOrIfkbE6hTaR4A3zqzanSWZC3yYO_JJiIzDrd5LBamFjxsxRcXUg1Nru-sHpb2yGk2wMmG-6xD-utJa3Rkec96TGNPQvG1VpxB-dT-SW3iFOiwl0YX7OIkeQpeMDKGIr2FLcmVKlxl-KJ4evJQ0ugj1Y9bGrojTxanJ-qDV9s1lTzNflWW1xcEQzEN8KiVh-2RpuxPUd3MfnInRC121EMQayt_Oj-2ZehAwmDP8LIBX3iYTT7; bc-calls-counter=2; connect.sid=2foCp7mAieXzl9wIKNOwhxoOzENZmxz8.B%2FBbzNffqR6uTKMjenRru7uekHndqeEgdAfnLNRtVSg
New cookie:
• CGIC=; 1P_JAR=2022-02-28-13; NID=511=ER9pK9QjKoZ6Uke2LvnZdQMkGC6Tcf1gzB0oLEC7iOsRCDp-rLZ_jR7PDM3aJ3FHGVVCCz6khR5Pd5EXzlxOrIfkbE6hTaR4A3zqzanSWZC3yYO_JJiIzDrd5LBamFjxsxRcXUg1Nru-sHpb2yGk2wMmG-6xD-utJa3Rkec96TGNPQvG1VpxB-dT-SW3iFOiwl0YX7OIkeQpeMDKGIr2FLcmVKlxl-KJ4evJQ0ugj1Y9bGrojTxanJ-qDV9s1lTzNflWW1xcEQzEN8KiVh-2RpuxPUd3MfnInRC121EMQayt_Oj-2ZehAwmDP8LIBX3iYTT7; bc-calls-counter=2; connect.sid=2foCp7mAieXzl9wIKNOwhxoOzENZmxz8.B%2FBbzNffqR6uTKMjenRru7uekHndqeEgdAfnLNRtVSg; bc-calls-counter=.
Cookie that is added:
• bc-calls-counter=.
Cookie key is:
• bc-calls-counter
Token is:
• .
Possible exposure
Read Application Data, Access to Privileged Information
Remediation suggestions
To fix this vulnerability –
• Disable debug information in the web server’s configuration.
• Improve the error handling and parsing of cookies in the relevant code paths, so that exceptions and/or errors will not leak internal information.
Request
Response
External links
The text was updated successfully, but these errors were encountered: