HSBC has finally fixed a bug that allowed web surfers to browse the directory structure of a supposedly secure website it helps to run. The John Lewis Partnership card secure website (a joint venture with HSBC) allowed the curious, and potentially malicious, to peek into its underlying structure. "Great if you were planning a …
so does this explain the unauthorised usages on the missuss credit card then?
No, this time its not a joke!! any other JLP card holders had similar?
"Great if you were planning a phishing attack and wanted to get a complete site layout and set of assets"
Sorry, where's the security problem?
I'm somewhat confused. Why would `leaking' the directory structure of your site be considered a security flaw? As an analogy, one would never consider `leaking' the layout of a building as a security risk*.
* Unless you are the developer of Terminal 5 and for some reason believe this information is top secret... Possibly under the assumption that no one will ever walk around the building....
leaking the layout of a building may be an asset to burglars.
Live SQL Injection
Need I say any more?
Yes indeed, but it is security by obscurity, which we know does not work.
I'm interested if you can change some details....
Re: Sorry, where's the security problem?
(1) Access to directory listings of the web site can reveal pages that are not linked in. Perhaps the document with the turnover figures that will be released at noon. Perhaps ini files or server side include files with configuration or authorisation details.
(2) Access to directory listings shows that their system build, configuration and testing process is flawed. If they missed and obvious thing like directory listing what else did they miss.
@AC re:security by obscurity
depends on your definition of "work". It means any flaws are hard to find. This is a good thing. It gives you more time to find and fix flaws, and means some flaws might never be discovered by baddies at all.
What it is NOT is a substiture for fixing and finding flaws. It's a barrier that will keep out rifraff and cause more determined attackers to take more time and possibly be more noticable. These are all good things.
The "security by obscurity" mantra only really applies where people use attempted obfuscation INSTEAD of other methods. and in some fields (cryptography) it is much more beneficial to expose your alogrithm to scrutiny to hammer out the bugs - but you still hide your key, don't you? ;)