The URL: "http://phabricator.org/changelog/2013/" has a path disclosure vulnerability which discloses "/bin/". This vulnerability was found in the request with id 434.
http://phabricator.org/Ffcvz
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/bootstrap-overrides.css
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/bootstrap.min.css
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/kPZrB
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/font-awesome.min.css
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/clients/GtQVN
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/clients/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/comparison/cFPZZ
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/theme.css
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/phabricator/btfjm
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/phabricator/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/features.css
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/bootstrap-responsive.min.css
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/css/remarkup.css
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/tour/XrAat
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/Myukb
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/herald
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/XuXay
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/support/YyTVP
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/conpherence
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/upcoming/BlqqM
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/projects
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/diffusion
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/maniphest
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/hosting/aoHXZ
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/arcanist/NzsSK
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/changelog/OCHcB
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/HYamM
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/contributors/RDmAE
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/press/JBfyb
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/arcanist
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/differential/PdusR
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/maniphest/jYJpC
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/conpherence/wJqes
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/phriction/CNdHy
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/projects/dPylF
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/diffusion/oGoSS
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/tour/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/tour/xAhwC
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/applications/herald/QKesb
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/changelog/2015/UTjOo
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/differential/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/differential/WAcbk
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/arcanist/pMfXd
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/arcanist/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/changelog/2012/cpsTP
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/heros/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/heros/CwCrk
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/changelog/2013/NRBWn
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/changelog/2011/HQSlg
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/maniphest/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/maniphest/WYbtn
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/changelog/2014/JOqpc
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/phriction/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/phriction/xrBUe
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/projects/HEfdN
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/projects/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/conpherence/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/conpherence/nKLgG
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/diffusion/sGcoP
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/diffusion/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/herald/
Some URLs have no protection (X-Frame-Options header) against Click-Jacking attacks. Among them:
http://phabricator.org/rsrc/images/apps/herald/IgWUQ
. This vulnerability was found in the requests with ids 38, 63, 74, 112, 115, 118 to 119, 123, 127, 135, 155, 161 to 162, 182, 190, 226, 342, 347, 353, 356, 359, 387, 395, 404, 408, 410, 413 to 414, 425, 437, 440, 447, 454, 460, 462, 477, 479, 483, 493, 499, 508 to 509, 512, 569, 575, 578, 582 to 583, 588, 593 to 594, 605, 608, 626 to 627, 631, 643 to 644, 647 to 648, 653, 656, 662 to 663, 673 to 674.
Description
Details
- From Email
- Sherzad™ ™ <sherzad_90@mail.ru>
Event Timeline
Please report security vulnerabilities via our HackerOne program: https://hackerone.com/phabricator
Note that this is NOT a qualifying vulnerability; issues with phabricator.org do not qualify.
Here's the canned response I would give you if you reported this via the proper channel:
This report shares some elements in common with many other reports. Often, these are concerns which make the report not applicable, or prevent us from moving forward until they are resolved. The common concerns with this report are:
- This report looks like it contains the output of a security scanner, with little or no analysis.
- This issue affects phabricator.org, but phabricator.org is outside of the scope of the program guidelines.
- This report does not follow the program guidelines. Please review the program guidelines carefully before submitting a report.
Because of these concerns, we are taking these actions:
- We are closing this issue as "Not Applicable" because we do not think it has any plausible security impact, and you have not provided a proof of concept which demonstrates a meaningful breach of security.
- We are closing this issue as "Not Applicable" because the behaviors it dicusses are by design, and appear to be working as intended.
For more information about our reasoning, you can find details below. These are the steps you can take next:
- If you are satisfied with this response, you don't need to take any further actions.
Here is some more detailed information about the points above.
Scanner Output with No Analysis: It looks like you've copy-pasted the output from a piece of security scanner software and provided little or no analysis of your own.
Applying human intelligence and insight is an important part of performing security research: you can not be an effective researcher without thinking carefully about the issues you discover.
Running scanners on the project and reporting the results to us directly (without analyzing those results) is not usually very useful on its own. In particular, these reports are almost always false positives.
Scanner software can be a useful tool in helping to identify security problems, but it's just a starting point. You need to apply your intelligence and insight to refine things scanners catch into useful issue reports: make sure they're real issues with a real impact, and that an attacker could meaningfully exploit them.
Issue Affects phabricator.org: This issue affects the phabricator.org website. The site is not covered under the program, and issues with the site are not eligible for awards. See the program description for details of what is and is not covered.
Follow the Program Guidelines: This report does not follow the program guidelines. Please review the program guidelines carefully. It's important to us that researchers follow the rules.
Not Applicable: No Plausible Impact, No Proof of Concept: As far as we can tell, there is no plausible, concrete scenario in which an attacker could exploit this issue to do something evil or dangerous, and you have not provided us with a proof of concept or a similar specific scenario which would allow an attacker to do anything meaningfully dangerous.
This usually means that the issue isn't relevant to Phabricator: for example, you have identified an issue in unrechable code, or which users can't actually access, and although the issue is theoretically dangerous it has no impact in practice.
Not Applicable: By Design: This issue discusses behaviors which we've intentionally designed and implemented to work like they do.
Many features require design tradeoffs: we need to decide how to prioritize things like security against other concerns, like ease of use. Often, we will accept very mild security risks in order to make large improvements for users in other ways.