Gratipay: server calendar and server status available to public

ID H1:116621
Type hackerone
Reporter bulla
Modified 2016-02-20T12:12:30


It was found that a calendar containing information about various tasks to be performed by the server admin can be viewed by any user.


it reveals stuff link data of expiration of ssl certificate, lastpass accounts, etc

further important entries that might entered in the future may contain critical data and hence access to this link should only be to concerned personnel

Server status - server load, bandwidth, database connections, etc revealed via public link


This link reveals important information about the server load and other information and can aid an attacker for other atacks

These links belong to the which says that t is for the internal employees only yet the domain is accessible publically.

Access to this domain should be restricted to the internal employees only.