Those files are archived public mailing list messages, so it seems like the intended behavior that they are publicly available.
On Tue, Feb 28, 2023, 11:50 AM Manpreet Singh < firstname.lastname@example.org> wrote:
Hello Team , I have founded vulnerability in your domain . Vulnerability :- Sensitive Information Disclosure Affected URL :- https://www.python.org/ftp/ Qualitative Severity Information :- HIGH Vulnerability Descriptions :- Directory Traversal To Python Mail servers By FTP. Steps To Reproduce :-
- Open this URL :- https://www.python.org/ftp/python/
- In this you will see many directories that are disclosing .
- Open Mail Directory you will find many mails , this is the URL :-
https://www.python.org/ftp/python/mail/ 4. Click on any mail , it will automatically download the mail in gunzip format. 5. For Kali Users , type this command :- gunzip filename 6. After gunzip type this command in kali konsole :- leafpad filename , you will now see your python company mails that are hosted on FTP Protocol .
Note :- If you can't understand how to do it , you can mail me i will then send POC video . Remediation :- Prevent this information from being displayed to the user.
Thanking You, Manpreet Singh (Security Researcher) _______________________________________________ docs mailing list -- email@example.com To unsubscribe send an email to firstname.lastname@example.org https://mail.python.org/mailman3/lists/docs.python.org/ Member address: email@example.com