I discovered a potential Internal Path Disclosure vulnerability in iTop, where certain error messages reveal internal server paths. How can this information be concealed?
No, those messages only occurs during the Setup, which is the process to install iTop. Those pages are not accessible 99.99% of the time.
This should be performed by a person who knows the server and its architecture, so it is not a disclosure for him.
So we won't do anything about it.
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello @naveen-steigen, thanks for your message. As Vincent said, this is something that happens when going on the setup page ; and the path displayed is a relative path, that is the same for every iTop.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi @jf-cbd@cisou
Thank you for your prompt reply.
In addition to the setup page, the internal path is also visible on the backup page. Please refer to the attached image for your reference.
Hi @jf-cbd@cisou
Thank you for your prompt reply.
In addition to the setup page, the internal path is also visible on the backup page. Please refer to the attached image for your reference.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the clarification. Since the backup pages are only accessible to iTop administrators, the risk does seem low.
Still, is there any way to hide or mask the internal backup path in the iTop window.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I discovered a potential Internal Path Disclosure vulnerability in iTop, where certain error messages reveal internal server paths. How can this information be concealed?
No, those messages only occurs during the Setup, which is the process to install iTop. Those pages are not accessible 99.99% of the time.
This should be performed by a person who knows the server and its architecture, so it is not a disclosure for him.
So we won't do anything about it.
Hello @naveen-steigen, thanks for your message. As Vincent said, this is something that happens when going on the setup page ; and the path displayed is a relative path, that is the same for every iTop.
Hi @jf-cbd @cisou
Thank you for your prompt reply.
In addition to the setup page, the internal path is also visible on the backup page. Please refer to the attached image for your reference.
Hi @jf-cbd @cisou
Thank you for your prompt reply.
In addition to the setup page, the internal path is also visible on the backup page. Please refer to the attached image for your reference.
If I am not mistaken, Backup pages are limited to iTop administrators, so I don't see a risk for them to be aware of the backups path
Thanks for the clarification. Since the backup pages are only accessible to iTop administrators, the risk does seem low.
Still, is there any way to hide or mask the internal backup path in the iTop window.