Security Warning: Directory Listing Enabled on https://community.kde.org

[Nicolás Alvarez]

I already replied and you ignored it: Why is this a security problem?
Does that folder have "sensitive data, scripts or configuration
files"?

We don't have any monetary rewards for security issues. This is an
open source project run by volunteers, we're not a commercial company.

-- 
Nicolás

El mié, 2 jul 2025 a la(s) 4:07 a.m., Hack4 Good
(hackgood345 at gmail.com) escribió:
>
> Hi Team,
> I wanted to follow up on the vulnerability I submitted. I took care to follow responsible disclosure practices and ensure the report was clear and actionable.
> If your team offers any form of reward or appreciation for valid reports, I’d be grateful to be considered. These gestures really encourage continued ethical research and collaboration.
> Thanks again for your time.
> Best Regards.
>
> On Wed, Jun 25, 2025 at 6:50 PM Hack4 Good <hackgood345 at gmail.com> wrote:
>>
>> Severity: High
>>
>> Website: https://community.kde.org
>> Affected POC: https://community.kde.org/images/
>>
>> Description:
>> Directory listing is enabled on your server, exposing files and folders that should remain hidden. This can leak sensitive data, scripts, or configuration files, providing attackers valuable information for further exploits.
>>
>> Suggested Fix:
>> Disable directory listing in your web server configuration (e.g., Apache’s Options -Indexes). Regularly audit directories to ensure sensitive files are protected.
>>
>> White Hat Note:
>> We share these insights to enhance your site’s security. Notify us after resolution so we can retest. We appreciate your proactive security efforts and look forward to your bounty program.