The researcher @footstep found that the web server behind downloads.gratipay.com (nginx) is disclosing its version on error pages. However, this domain is hosted on a third-party infrastructure, MaxCDN—making this impossible to fix and out-of-scope of our program.

Actions:

View on HackerOne

Reported by footstep

Vulnerability Details

Technical details and impact analysis

Information Disclosure

Hello, Navigating to http://downloads.gratipay.com/Error goes to a 404 error page disclosing your Nginx version. Server information should be protected since anyone with a bad intent on would try to find exploit for the specified server version. Thanks, Footstep

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Information Disclosure