HelioHost Posted July 30, 2024 Posted July 30, 2024 Username: N/A, Server: N/A, Main Domain: N/AHello, I hope you are fine. We are reporting a vulnerability in your web application as a responsible disclosure. Do let us know if you need any further assistance or if you have any bug bounty decision in place. It was discovered that your website has a publicly accessible PHPinfo page. The PHPinfo page provides detailed information about your PHP environment, including PHP version, server information, environment variables, paths, and loaded modules. This information can be invaluable to attackers as it exposes potential vulnerabilities and configuration details that can be exploited. The PHPinfo page was detected at the following endpoint: http://php80.krydos.heliohost.org:80/index.php *Remediation* To address this vulnerability, it is recommended to remove the PHPinfo page from your publicly accessible website. If you need to keep the PHPinfo page for debugging purposes, ensure it is only accessible to authorized users. If you would like to know more about how to fix it or would need a cyber security guidance or if you are considering getting your assets vulnerability assessment and penetration testing, we would like you to schedule a call with us here: https://calendly.com/laburity/meeting *Danish Tariq* Co-Founder, Laburity. Linkedin | danish@laburity.com | +971501941383 <++971501941383> Laburity - Your Cyber Guardians | Laburity @ Linkedin 2
Krydos Posted July 31, 2024 Posted July 31, 2024 We've decided to give you $1,000,000 for finding the PHPInfo page that we intentionally placed so people can see the settings of our PHP versions prior to signing up for our free hosting. We need your cybersecurity guidance on testing the strength of the password we use for everything HelioHostROOTpassword123 Do you think that is strong enough to secure all of our money and servers? 1 2
wolstech Posted July 31, 2024 Posted July 31, 2024 Everyone else is having fun with this report it seems, but if it's not obvious, we provide shared web hosting services, so we intentionally have that page available to allow users to view our configuration. This is by design on our end and as such is not considered a security issue.
Recommended Posts