[openssl-dev] [openssl.org #3943] Vulnerability Report
Mahender Singh via RT
rt at openssl.org
Tue Jul 14 19:21:25 UTC 2015
Dear Sir
Glad for your quick and fast response and implementation. I have heard
about your bounty program over Hackerone. As I did ethical work I am hoping
some bounty in good faith from your end.
Thank you
Regarding
Mahender Singh
On Wed, Jul 15, 2015 at 12:40 AM, Richard Levitte via RT <rt at openssl.org>
wrote:
> Problem fixed.
>
> Thanks.
>
> Vid Tue, 14 Jul 2015 kl. 18.05.17, skrev mahendersingh2706 at gmail.com:
> > Dear Sir / Madam ,
> >
> >
> > This is* Mahender Singh* *Security Researcher* from *India*,
> > i have found bug that i would like to share with your security team,
> > this
> > bug is related server file discloser, i have explain deeply as
> > follows,
> >
> > *Vulnerability* : GIT Config
> >
> > *Vulnerable link *: www.openssl.org
> >
> > *Payload =* .git/config
> >
> > *then final url *= http://www.openssl.org/.git/config
> >
> >
> > I have Attached POC as follow
> >
> >
> > *Refer URL*
> >
> > http://blogs.msdn.com/b/bharry/archive/2014/12/18/git-vulnerability-
> > with-git-config.aspx
> >
> > https://blog.netspi.com/dumping-git-data-from-misconfigured-web-
> > servers/
> >
> > https://www.owasp.org/index.php/Top_10_2013-A5
> >
> >
> > I have given enough details of Vulnerability if you need anything else
> > you
> > can contact me at my mail id mahendersingh2706 at gmail
> > <hackdeep2015 at gmail.com>.com
> >
> > Hope you will patch this as soon as.
> >
> > Thank You
> >
> > Regarding
> > *Mahender Singh*
> > *Cyber Security Researcher*
>
>
> --
> Richard Levitte
> levitte at openssl.org
>
>
More information about the openssl-dev
mailing list