Security Warning: Directory Listing Enabled on https://techbase.kde.org

Paul Brown paul.brown at kde.org
Mon Jul 7 13:14:05 BST 2025 

On Sunday, 6 July 2025 12:26:45 Central European Summer Time Sentinel Cypher 
wrote:
> Hi Team,
> I wanted to follow up on the vulnerability I submitted. I took care to
> follow responsible disclosure practices and ensure the report was clear and
> actionable.

And we thank you for that. You can't imagine how many people send us bogus 
reports with the sole intention of trying to scam a few bucks out of our non-
profit charity.

But not you. Oh, no! You sent us such valuable information, we would be so 
screwed if it got out. We LITERALLY owe you our lives. We would LITERALLY  be 
dead if it weren't for your report.

I mean, what would we have done if our logo had fallen into the wrong hands?

If this had gotten out, it would have caused a massacre of a proportion that 
only Genghis Khan could've perpetrated.

You are a literal saint.

> If your team offers any form of reward or appreciation for valid reports,
> I’d be grateful to be considered.

We do, we do. Please find attached a cheque for your troubles!

> These gestures really encourage continued
> ethical research and collaboration.

Especially the "ethical" part. Because you aren't out to scam anyone at all!

> Thanks again for your time.
> Best Regards.
> 
> On Tue, Jul 1, 2025 at 3:30 PM Sentinel Cypher <sentinelcypher6 at gmail.com>
> 
> wrote:
> > *Severity: High*
> > 
> > *Website:* <https://techbase.kde.org>https://techbase.kde.org
> > *Affected POC:* https://techbase.kde.org/images/
> > 
> > *Description:*
> > Directory listing is enabled on your server, exposing files and folders
> > that should remain hidden. This can leak sensitive data, scripts, or
> > configuration files, providing attackers valuable information for further
> > exploits.
> > 
> > *Suggested Fix:*
> > Disable directory listing in your web server configuration (e.g., Apache’s
> > Options -Indexes). Regularly audit directories to ensure sensitive files
> > are protected.
> > 
> > *White Hat Note:*
> > We share these insights to enhance your site’s security. Notify us after
> > resolution so we can retest. We appreciate your proactive security efforts
> > and look forward to your bounty program.


-- 
Promotion & Communication

www: https://kde.org
Mastodon: https://floss.social/@kde
Facebook: https://www.facebook.com/kde/
LinkedIn: https://www.linkedin.com/company/kde
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cheque_full_signed.pdf
Type: application/pdf
Size: 1524569 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-www/attachments/20250707/34fa07c2/attachment-0001.pdf>

More information about the kde-www mailing list