Gratipay: server calendar and server status available to public

2016-02-15T18:52:40
ID H1:116621
Type hackerone
Reporter bulla
Modified 2016-02-20T12:12:30

Description

It was found that a calendar containing information about various tasks to be performed by the server admin can be viewed by any user.

link: http://inside.gratipay.com/appendices/calendar

it reveals stuff link data of expiration of ssl certificate, lastpass accounts, etc

further important entries that might entered in the future may contain critical data and hence access to this link should only be to concerned personnel

Server status - server load, bandwidth, database connections, etc revealed via public link

link: http://inside.gratipay.com/appendices/health

This link reveals important information about the server load and other information and can aid an attacker for other atacks

These links belong to the inside.fratiplay.com which says that t is for the internal employees only yet the domain is accessible publically.

Access to this domain should be restricted to the internal employees only.