forgot a test file
[gofetch.git] / test / expected / SLASHDOT / 0102639752.html
CommitLineData
299a08f3
NR
1<!DOCTYPE html>
2<html>
3<head>
4 <meta http-equiv='content-type' content='text/html; charset=utf-8'>
5 <meta name='viewport' content='width=device-width, initial-scale=1.0'>
6 <style type='text/css'>
7 body { margin: 1em 15%; }
8 </style>
9</head>
10<body>
11<div class='story'>
c715ea02 12 <h2>400,000 Websites Vulnerable Through Exposed .git Directories (scmagazine.com)</h2>
299a08f3
NR
13 <div class='details'>(Thursday September 06, 2018 @11:30PM (msmash)
14from the security-woes dept.)</div>
15 <br/>
16 <ul>
c715ea02 17 <li>Reference: <a href=''>0102639752</a></li>
299a08f3
NR
18 <li>News link: <a href='https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories'>https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories</a></li>
19 <li>Source link: <a href='https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/'>https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/</a></li>
20 </ul>
21 <br/>
22 <div class='content' style='text-align: justify'>
23 Open .git directories are a bigger cybersecurity problem than many might imagine, at least according to a Czech security researcher who discovered almost 400,000 web pages with an open .git directory possibly exposing a wide variety of data. From a report: Vladimir Smitka began his .git directory odyssey in July when he began looking at Czech websites to find how many were improperly configured and allow access to their .git folders within the file versions repository. Open .git directories are a particularly dangerous issue, he said, because they can contain a great deal of sensitive information. &quot;Information about the website&#x27;s structure, and sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on. However, this data shouldn&#x27;t be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices,&quot; Smitka wrote. Smitka queried 230 million websites to discover the 390,000 allowing access to their .git directories. The vast majority of the websites with open directories had a .com TLD with .net, .de, .org and uk comprising most of the others.
24 </div>
25<hr/>
26 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 27 <h3></h3>
299a08f3
NR
28 <div class='by' style='font-style: italic;'></div>
29 <div class='comment_content'></div>
30 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 31 <h3>Re: (Score:2, Informative)</h3>
299a08f3
NR
32 <div class='by' style='font-style: italic;'>by MidSpeck ( 1516577 )</div>
33 <div class='comment_content'><p></p><p>^/.*/\.git/</p><p>Protect git repositories in all subdirectories as well.</p></div>
34 </div>
35 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 36 <h3>Re: (Score:2)</h3>
299a08f3
NR
37 <div class='by' style='font-style: italic;'>by jrumney ( 197329 )</div>
38 <div class='comment_content'><p></p><p>Why stop there? Are there any dot files/directories that need to be served over HTTP?</p></div>
39 </div>
40 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 41 <h3>Re: .htaccess (Score:3)</h3>
299a08f3
NR
42 <div class='by' style='font-style: italic;'>by spongman ( 182339 )</div>
43 <div class='comment_content'><p></p><p>Why doesn't Apache block all '.'-prefixed directories by default?</p></div>
44 </div>
45 </div>
46 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 47 <h3></h3>
299a08f3
NR
48 <div class='by' style='font-style: italic;'></div>
49 <div class='comment_content'></div>
50 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 51 <h3>Re:https://slashdot.org/.git (Score:4, Informative)</h3>
299a08f3
NR
52 <div class='by' style='font-style: italic;'>by ls671 ( 1122017 )</div>
53 <div class='comment_content'><p></p><p>Slashdot is still using CVS try [1]https://slashdot.org/CVS/ [slashdot.org]</p><p>you will see, it works! :)</p><p></p><p></p><p></p><p></p><p>[1] https://slashdot.org/CVS/</p></div>
54 </div>
55 </div>
56 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 57 <h3>Your central git repo ... (Score:1)</h3>
299a08f3
NR
58 <div class='by' style='font-style: italic;'>by Qbertino ( 265505 )</div>
59 <div class='comment_content'><p></p><p>... belongs behind ssh or, at least, behind http access and SSL.</p><p>If I catch you doing otherwise for anything other than FOSS software I'll smack you. Hard.</p></div>
60 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 61 <h3>Re:Your central git repo ... (Score:4, Informative)</h3>
299a08f3
NR
62 <div class='by' style='font-style: italic;'>by tlhIngan ( 30335 )</div>
63 <div class='comment_content'><p></p><p>> ... belongs behind ssh or, at least, behind http access and SSL.</p><p>> If I catch you doing otherwise for anything other than FOSS software I'll smack you. Hard.</p><p>And it probably is. The thing is, the website owners are using git to version control and deploy their website (not a bad idea). So they develop their web site, push it to the central git repo, and whenever they need to go live, they just do a "git pull" on the webserver and it'll pull down the latest version of the website.</p><p>Problem is, they forget about the hidden .git directory git makes that stores all sorts of useful information and with a little persistence, allow you access to the raw source code since you can access the individual git objects. (Or maybe even clone it using git).</p></div>
64 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 65 <h3>Re: (Score:2)</h3>
299a08f3
NR
66 <div class='by' style='font-style: italic;'>by jrumney ( 197329 )</div>
67 <div class='comment_content'><p></p><p>I do this, it is very convenient for deploying updates to the site. But I always put the web interface into a subdirectory, and only configure the web server to see that so the .git directory is not visible over HTTP. And dotfiles and directories are blocked in the webserver config for extra protection against accidental inclusion of invisible files.</p></div>
68 </div>
69 </div>
70 </div>
71 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 72 <h3>reheating yesterday's food (Score:3)</h3>
299a08f3
NR
73 <div class='by' style='font-style: italic;'>by Tsolias ( 2813011 )</div>
74 <div class='comment_content'><p></p><p>just an article from 2015 [1]https://en.internetwache.org/d... [internetwache.org]</p><p>I can give you also next year's article about .file vulnerabilities. (spoiler alert) [2]https://en.internetwache.org/s... [internetwache.org]</p><p></p><p></p><p></p><p></p><p>[1] https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/</p><p>[2] https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-store-files-12-03-2018/</p></div>
75 </div>
76 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 77 <h3></h3>
299a08f3
NR
78 <div class='by' style='font-style: italic;'></div>
79 <div class='comment_content'></div>
80 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 81 <h3>KKK (Score:2)</h3>
299a08f3
NR
82 <div class='by' style='font-style: italic;'>by Tsolias ( 2813011 )</div>
83 <div class='comment_content'><p></p><p>> Thats what you get on hiring those bootcamp "graduates"</p><p>Kode w/ Karlie Kloss, like it or not.</p></div>
84 </div>
85 </div>
86 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 87 <h3>Alternate headline: 99.8% websites are OK (Score:2)</h3>
299a08f3
NR
88 <div class='by' style='font-style: italic;'>by jmichaelg ( 148257 )</div>
89 <div class='comment_content'><p></p><p>230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is less than 0.2% of websites surveyed screwed this up.</p><p>400k is a big number but it's good to know most developers aren't that stupid on this issue.</p></div>
90 </div>
91 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 92 <h3></h3>
299a08f3
NR
93 <div class='by' style='font-style: italic;'></div>
94 <div class='comment_content'></div>
95 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 96 <h3>Re: yarn dist (Score:2)</h3>
299a08f3
NR
97 <div class='by' style='font-style: italic;'>by TimMD909 ( 260285 )</div>
98 <div class='comment_content'><p></p><p>... Equifax types for free security tests from 3rd parties and press coverage, presumably...</p></div>
99 </div>
100 </div>
101 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 102 <h3>So? (Score:2)</h3>
299a08f3
NR
103 <div class='by' style='font-style: italic;'>by cshark ( 673578 )</div>
104 <div class='comment_content'><p></p><p>An open git directory will be everything you need to reconstruct the site, more often than not from the same server you're targeting. Scary. Database servers are rarely open. Short of some serious hacking, there isn't a lot you're going to be able to do with this stuff once you've obtained the information you're waving around here.</p><p>Until such time as I see hackers actually logging in with this information and defacing github, I'm going to remain unconvinced of the severity of this one.</p></div>
105 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 106 <h3>Re: (Score:2)</h3>
299a08f3
NR
107 <div class='by' style='font-style: italic;'>by OrangeTide ( 124937 )</div>
108 <div class='comment_content'><p></p><p>My website's .git directories are open intentionally. Makes for convenient mirroring and viewing of archives without having to hope and pray wayback machine picked up my obscure website.</p><p>I'm not too worried. It's just data on the filesystem, it's not executing programs. And the data is not supposed to contain any secrets. If it ever does then I better rewrite my git history.</p></div>
109 </div>
110 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 111 <h3>Re: (Score:1)</h3>
299a08f3
NR
112 <div class='by' style='font-style: italic;'>by Anonymous Coward</div>
113 <div class='comment_content'><p></p><p>The most likely actual security implication is hard coded keys to 3rd party APIs.</p><p>Not that this is an inevitable threat, itâ(TM)s just something I could see being inadvertently exposed and useful without much additional effort.</p></div>
114 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 115 <h3>Re: (Score:1)</h3>
299a08f3
NR
116 <div class='by' style='font-style: italic;'>by Orrin Bloquy ( 898571 )</div>
117 <div class='comment_content'><p></p><p>> itâ(TM)s</p><p>Clear something up, are you typing curly quotes/apostrophes on purpose or do you have your browser configured to automatically do that.</p></div>
118 </div>
119 </div>
120 <div class='comment' style='display: block; margin-left: 80px'>
c715ea02 121 <h3>Re: (Score:2)</h3>
299a08f3
NR
122 <div class='by' style='font-style: italic;'>by jonwil ( 467024 )</div>
123 <div class='comment_content'><p></p><p>What about if that .git folder (and the website's source code) included private keys for stuff. Or credentials/API keys for 3rd party services. Or credentials for database and other servers.</p></div>
124 </div>
125 </div>
126</div>
127</body>