28002 – Information disclosure of log file

Bug 28002 - Information disclosure of log file

Summary: Information disclosure of log file

Status:	RESOLVED NOTABUG

Alias:	None

Product:	sourceware
Classification:	Unclassified
Component:	Infrastructure (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	overseers mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-06-21 19:21 UTC by Chan Nyein Wai
Modified:	2024-03-25 18:49 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chan Nyein Wai 2021-06-21 19:21:34 UTC

Hi Security Team,

I hope you are doing good.I have found that the cygcheck log file was exposed to public on your web server. It includes all full path and files I think this information should not be publicly accessible.

Step To Reproduce 
1.Go to https://sourceware.org/legacy-ml/cygwin/2017-02/msg00013/cygcheck.log
2.See the data.

Mitigation
Just set the permission to this file which can't be accessible from public or delete the file if it is not use in production.

Impact 
This may allow attacker to exploit further more.

Best Regards,
Bytehx.

Comment 1 Frank Ch. Eigler 2024-03-25 18:49:39 UTC

normal