alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~136~~	Closed	~~users email address enumeration~~	Gazzar	Task Description there is ability to enumerate email address of users through admin.alwaysdata.com/password/lost/ if i enter a registered email it will display that email has sent but if the mail in snot registered it will say The form contains some errors. Email address of your account : There is no account with this email address. so we can brute force using list of emails and get some regestered mails there is rate limit but it's very poor as waiting 20 seconds after 7 or 8 requests will be ok and not banned with 429 response suggested solution to say that : email is sent if this email has an account as in here admin.alwaysdata.com/login/ if email or password are wrong it says credentials are incorrect not say email is incorrect as here emails can be enumerated
	~~135~~	Closed	~~local software files disclosure~~	Gazzar	Task Description producing steps: By using google dorks and write site:alwaysdata.com intitle:index.of it will show 2 sites https://files.alwaysdata.com/ https://files.alwaysdata.com/migrations/software-2020/ the 2 files give me 404 forbidden poc searching for files.alwaysdata.com in waybackmachine i can access now the pages without forbidden message it contains software-2017 and software 2020 https://web.archive.org/web/20241007181407/https://files.alwaysdata.com/migrations/ it is an index page , appears software files that can be downloaded

~~136~~

Closed

~~users email address enumeration~~

Task Description

there is ability to enumerate email address of users through
admin.alwaysdata.com/password/lost/
if i enter a registered email it will display that email has sent
but if the mail in snot registered it will say
The form contains some errors.
Email address of your account : There is no account with this email address.
so we can brute force using list of emails and get some regestered mails
there is rate limit but it's very poor as waiting 20 seconds after 7 or 8 requests will be ok and not banned with 429 response

suggested solution to say that : email is sent if this email has an account
as in here admin.alwaysdata.com/login/
if email or password are wrong it says credentials are incorrect not say email is incorrect as here emails can be enumerated

~~135~~

Closed

~~local software files disclosure~~

Gazzar

Task Description

producing steps:
By using google dorks and write
site:alwaysdata.com intitle:index.of
it will show 2 sites
https://files.alwaysdata.com/ https://files.alwaysdata.com/migrations/software-2020/ the 2 files give me 404 forbidden

poc
searching for files.alwaysdata.com in waybackmachine
i can access now the pages without forbidden message
it contains software-2017 and software 2020
https://web.archive.org/web/20241007181407/https://files.alwaysdata.com/migrations/ it is an index page , appears software files that can be downloaded

Showing tasks 1 - 2 of 2 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task