Most websites and services today use some kind of framework, based on modern languages such as PHP, Ruby, Python and others. This has allowed many individuals to host arguably complex websites. This can be a good thing except when it comes to the fact that many website owners do not pay sufficient attention to the security of the software packages and do not beef up the default configurations from those set out-of-the-box.
More importantly, some webmasters are not even aware of the various misconfigurations which may leak sensitive information about their website and customers over the web.
This article is written to raise awareness of misconfiguration related to the domains they manage so more webmasters will pay attention. From our interaction with webmasters, we understand that they are already bogged down with many maintenance duties. However, the fact remains that misconfiguration errors, when left unaddressed, can spew important information into the hands of malicious persons.
Consider a website that we analyzed a few days ago, the URL looked like this:
This particular page was listing all email addresses that were registered on the website. These registrations may have been as a result of user requests to be put on a weekly newsletter of some sort. The page listed 623 email addresses, including addresses belonging to .mil, @gmail.com, @yahoo.com domains and more. The server was running an Apache/1.3.41 Server.
Though this incident may not have caused direct harm to the website, it is definitely undesirable to have an email address list laying out in the open. It only serves as fodder for spam bots and malicious persons to launch social engineering attacks.
In conclusion, webmasters, please do not leave your software installations in their default settings, and do pay attention to misconfiguration and other errors.