Publicly accessible access-log file

An accessible access.log file was discovered.

  • logs
  • disclosure

Access log files are files which store information about how a web application was accessed. If you have access to the web server then you can use access logs to determine exactly how a user was authenticated and what kind of requests they were making.

Impact

Attackers can use the access logs to gain more information about how the web server is used. This may allow attackers to discover vulnerabilities which they would otherwise not have been able to attack.

Solution

Do not publicly disclose the access logs. This information should be used only in a black box environment where users are authenticated and have no idea what is happening behind their backs.

Was this page helpful?