Directory listing in multiple endpoints in nilsteampassnet/teampass
Jun 10th 2023
Teampass has directory listing by default for various endpoints that eventually discloses application-specific and user data and files.
Proof of Concept
Visit the following endpoint without logging in to the application.
- https://127.0.0.1/includes (configs)
- https://127.0.0.1/upload (Uploaded files)
- https://127.0.0.1/files (Contains .sql file)
This could be fixed using the server configuration itself but it is better to do it in the application level as well as there are many teampass installations on the internet that are exposing their data publicly as shown in the image below. This could be fixe simply by adding a blank index.php pages in the directories.
Sensitive files can be accessed by attackers. Here's a real-world example: