| VID |
210003 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Web Server allows remote users to read URL lists included file and directory information from sitemap.xml file. Sitemap Protocol allows inform search engines that are available crawl about URLs on web sites and is implemented an XML based file format. In its simplest form, a Sitemap that uses the Sitemap Protocol is an XML file that lists URLs for a site. A remote attacker could use sitemaps(sitemap.xml) to enumerate all files and directories in the web server root.
* References:
https://www.google.com/webmasters/sitemaps/docs/en/protocol.html
http://www.quietmove.com/blog/google-sitemap-directory-enumeration-0day/
http://seclists.org/fulldisclosure/2006/Oct/0222.html
http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg17046.html
* Platforms Affected:
Google, Sitemap Protocol
Any operating system Any version |
| Recommendation |
Web site administrators should confirm the contents for sensitive URL in the sitemap.xml file and must be careful of using sitemap.xml file. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
