| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008371 | Kali Linux | Kali Websites & Docs | public | 2023-07-03 07:58 | 2025-07-14 09:35 |
| Reporter | malekabdullah | Assigned To | arnaudr | ||
| Priority | normal | Severity | tweak | Reproducibility | have not tried |
| Status | closed | Resolution | won't fix | ||
| Product Version | kali-dev | ||||
| Summary | 0008371: directory traversal | ||||
| Description | I am writing to inform you of a vulnerability that I have found in the kali.org domain. The vulnerability is a path traversal vulnerability that allows a user to access a directory that is not normally visible to users. This directory contains outdated versions of Kali Linux packages, as well as the hashes for these packages. The vulnerability can be exploited by a malicious user to download outdated packages, which may contain security vulnerabilities. The malicious user could also steal the hashes for these packages, which could be used to forge malicious packages that appear to be legitimate. I have attached a proof-of-concept exploit that demonstrates the vulnerability. I have also provided a patch that fixes the vulnerability. I urge you to apply the patch as soon as possible to protect your users from this vulnerability. | ||||
| Steps To Reproduce | Stepds to reporudce: Go to: https://www.kali.org/get-kali/#kali-virtual-machines then press on the torrent bottom< will direct you to https://kali.download/base-images/kali-2023.2/kali-linux-2023.2-virtualbox-amd64.7z.torrent and go to https://kali.download/ the directories will apear to abnormal form and user can check the old versions and hash file | ||||
 |
It's not called directory traversal, it's called indexing, or directory listing. It's there on purpose. Not a bug. https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html http://nginx.org/en/docs/http/ngx_http_autoindex_module.html |
