Member Avatar for Rahul47

Recently I was testing a website for vulnerabilities and I found that a URL disclosed following directory details. I wanted to prove to authorities that this is serious as .mdb file can be accessed but i don't know how.
I want to access it and prove it to them. Is there any way to access .mdb file ?

3cc63934b3b240301a9566736c3f83ad

Thanx.

What do you mean you don't know how to prove this? You simply need to send a screenshot as you did here indicating that you' be discord that directory browsing is enabled. It's very easy to fix this issue.

You should be able to access any of the files listed.

Member Avatar for Rahul47

I sent that screenshot, but dumbheads there are so lazy that they said it wont harm their website. LOL .
Am not worried anyway, but just wanted to save that cause its a university website and i dont want it to be spoiled.

Member Avatar for Rahul47

What do you mean you don't know how to prove this?

I feel that it can be accessed but I haven't yet figured out HOW ? Thats what am googling for . .

Member Avatar for Rahul47

An mdb can be accessed by MS Access, probably Excel too.

If you are a visitor and if you can see directory details of a website will you still be able to access it ?

When directory browsing is enabled and accessed by a browser, the files listed are generally listed as hyperlinks where you can click them and either open or download them. Is that not what you are seeing via your browser?

Member Avatar for Rahul47

When directory browsing is enabled and accessed by a browser, the files listed are generally listed as hyperlinks where you can click them and either open or download them. Is that not what you are seeing via your browser?

Nope, am redirected to server Error Page. Saying,

Server Error in '/app' Application.

This type of page is not served.

Description: The type of page you have requested is not served because it has been explicitly forbidden. The extension '.mdb' may be incorrect. Please review the URL below and make sure that it is spelled correctly.

Requested URL: /App/app.mdb

ASP.NET will automatically protect certain folders such as App_Data, App_Code, etc... There are several. In addition, you can further secure using the web.config file as well.

It seems that in this instance the folder you are looking at is a typical folder without any of the default documents stored in that folder so the webserver lists the contents instead if page not found because directory browsing is enabled.

Member Avatar for Rahul47

It seems that in this instance the folder you are looking at is a typical folder

Actually I changed original name to App not to disclose its directory name here. [ Privacy Concern ]

So how do i fetch that .mdb file ?

If nothing sensitive can be accessed from this particular directory (mdb files appear to already by protected), then there may not be an issue - however, there may be other directories that contain files that should not be accessed. Directory Browsing just makes it easier to discover the directory contents and find them, but does not directly mean they can be accesses. However, if the file name discloses sensitive information, then preventing access to the file might not be enough.

eg. Seeing a file called Plans_for_firing_1000_people.xls might not be desirable

Member Avatar for Rahul47

If nothing sensitive can be accessed . . . .

I see you point.
FYI that mdb file contains result of university and I being student of university wanted to protect it.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.