Those files are archived public mailing list messages, so it seems like the intended behavior that they are publicly available. On Tue, Feb 28, 2023, 11:50 AM Manpreet Singh < manpreet.singh08842020@gmail.com> wrote:
Hello Team , I have founded vulnerability in your domain . Vulnerability :- Sensitive Information Disclosure Affected URL :- https://www.python.org/ftp/ Qualitative Severity Information :- HIGH Vulnerability Descriptions :- Directory Traversal To Python Mail servers By FTP. Steps To Reproduce :- 1. Open this URL :- https://www.python.org/ftp/python/ 2. In this you will see many directories that are disclosing . 3. Open Mail Directory you will find many mails , this is the URL :- https://www.python.org/ftp/python/mail/ 4. Click on any mail , it will automatically download the mail in gunzip format. 5. For Kali Users , type this command :- gunzip filename 6. After gunzip type this command in kali konsole :- leafpad filename , you will now see your python company mails that are hosted on FTP Protocol .
Note :- If you can't understand how to do it , you can mail me i will then send POC video . Remediation :- Prevent this information from being displayed to the user.
Thanking You, Manpreet Singh (Security Researcher) _______________________________________________ docs mailing list -- docs@python.org To unsubscribe send an email to docs-leave@python.org https://mail.python.org/mailman3/lists/docs.python.org/ Member address: mariatta@python.org