GlobaLeaks: Information Disclosure

2017-04-16T06:05:36
ID H1:221333
Type hackerone
Reporter secure_world
Modified 2017-04-19T13:03:31

Description

I have observed that the application is leaking information while accessing "https://demo.globaleaks.org/l10n/en". It does not restrict access to file, which can possibly provide an attacker with information such as default credentials (test:test), username for accessing administrative functions, application functionalities available to admin user.

At this point I am not able to validate default credentials, whether these are credentials for login to globalleaks servers, application, functionalities. Information contained in the location can be possibly be combined with other approaches to perform targeted attack against globalleaks.

Recommendation: Restrict access to the file.