| 1 | 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES \r |
| 2 | (SCMAGAZINE.COM) \r |
| 3 | \r |
| 4 | Thursday September 06, 2018 @11:30PM (msmash)\r |
| 5 | from the security-woes dept.\r |
| 6 | \r |
| 7 | o Reference: 0102639752\r |
| 8 | o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories\r |
| 9 | o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/\r |
| 10 | \r |
| 11 | \r |
| 12 | Open .git directories are a bigger cybersecurity problem than\r |
| 13 | many might imagine, at least according to a Czech security\r |
| 14 | researcher who [1]discovered almost 400,000 web pages with an\r |
| 15 | open .git directory possibly exposing a wide variety of data.\r |
| 16 | From a report:\r |
| 17 | \r |
| 18 | > Vladimir Smitka began his .git directory odyssey in July\r |
| 19 | when he began looking at Czech websites to find how many were\r |
| 20 | improperly configured and allow access to their .git folders\r |
| 21 | within the file versions repository. Open .git directories are\r |
| 22 | a particularly dangerous issue, he said, because they can\r |
| 23 | contain a great deal of sensitive information. "Information\r |
| 24 | about the website's structure, and sometimes you can get very\r |
| 25 | sensitive data such as database passwords, API keys,\r |
| 26 | development IDE settings, and so on. However, this data\r |
| 27 | shouldn't be stored in the repository, but in previous scans\r |
| 28 | of various security issues, I have found many developers that\r |
| 29 | do not follow these best practices," Smitka wrote. Smitka\r |
| 30 | queried 230 million websites to discover the 390,000 allowing\r |
| 31 | access to their .git directories. The vast majority of the\r |
| 32 | websites with open directories had a .com TLD with .net, .de,\r |
| 33 | .org and uk comprising most of the others.\r |
| 34 | \r |
| 35 | \r |
| 36 | \r |
| 37 | [1] https://www.scmagazine.com/home/news/400000-websites-vulne-\r |
| 38 | rable-through-exposed-git-directories/\r |
| 39 | \r |
| 40 | \r |
| 41 | ** \r |
| 42 | \r |
| 43 | ** Re: (Score:2, Informative)\r |
| 44 | (by MidSpeck ( 1516577 ))\r |
| 45 | \r |
| 46 | \r |
| 47 | ^/.*/\.git/\r |
| 48 | Protect git repositories in all subdirectories as well.\r |
| 49 | \r |
| 50 | \r |
| 51 | ** Re: (Score:2)\r |
| 52 | (by jrumney ( 197329 ))\r |
| 53 | \r |
| 54 | \r |
| 55 | Why stop there? Are there any dot files/directories that need\r |
| 56 | to be served over HTTP?\r |
| 57 | \r |
| 58 | \r |
| 59 | ** Re: .htaccess (Score:3)\r |
| 60 | (by spongman ( 182339 ))\r |
| 61 | \r |
| 62 | \r |
| 63 | Why doesn't Apache block all '.'-prefixed directories by\r |
| 64 | default?\r |
| 65 | \r |
| 66 | \r |
| 67 | ** \r |
| 68 | \r |
| 69 | ** Re:https://slashdot.org/.git (Score:4, Informative)\r |
| 70 | (by ls671 ( 1122017 ))\r |
| 71 | \r |
| 72 | \r |
| 73 | Slashdot is still using CVS try [1]https://slashdot.org/CVS/\r |
| 74 | [slashdot.org]\r |
| 75 | you will see, it works! :)\r |
| 76 | \r |
| 77 | \r |
| 78 | \r |
| 79 | \r |
| 80 | [1] https://slashdot.org/CVS/\r |
| 81 | \r |
| 82 | \r |
| 83 | ** Your central git repo ... (Score:1)\r |
| 84 | (by Qbertino ( 265505 ))\r |
| 85 | \r |
| 86 | \r |
| 87 | ... belongs behind ssh or, at least, behind http access and SSL.\r |
| 88 | If I catch you doing otherwise for anything other than FOSS\r |
| 89 | software I'll smack you. Hard.\r |
| 90 | \r |
| 91 | ** Re:Your central git repo ... (Score:4, Informative)\r |
| 92 | (by tlhIngan ( 30335 ))\r |
| 93 | \r |
| 94 | \r |
| 95 | > ... belongs behind ssh or, at least, behind http access and\r |
| 96 | > SSL.\r |
| 97 | > If I catch you doing otherwise for anything other than FOSS\r |
| 98 | > software I'll smack you. Hard.\r |
| 99 | And it probably is. The thing is, the website owners are\r |
| 100 | using git to version control and deploy their website (not a\r |
| 101 | bad idea). So they develop their web site, push it to the\r |
| 102 | central git repo, and whenever they need to go live, they\r |
| 103 | just do a "git pull" on the webserver and it'll pull down the\r |
| 104 | latest version of the website.\r |
| 105 | Problem is, they forget about the hidden .git directory git\r |
| 106 | makes that stores all sorts of useful information and with a\r |
| 107 | little persistence, allow you access to the raw source code\r |
| 108 | since you can access the individual git objects. (Or maybe\r |
| 109 | even clone it using git).\r |
| 110 | \r |
| 111 | ** Re: (Score:2)\r |
| 112 | (by jrumney ( 197329 ))\r |
| 113 | \r |
| 114 | \r |
| 115 | I do this, it is very convenient for deploying updates to\r |
| 116 | the site. But I always put the web interface into a\r |
| 117 | subdirectory, and only configure the web server to see\r |
| 118 | that so the .git directory is not visible over HTTP. And\r |
| 119 | dotfiles and directories are blocked in the webserver\r |
| 120 | config for extra protection against accidental inclusion\r |
| 121 | of invisible files.\r |
| 122 | \r |
| 123 | \r |
| 124 | \r |
| 125 | ** reheating yesterday's food (Score:3)\r |
| 126 | (by Tsolias ( 2813011 ))\r |
| 127 | \r |
| 128 | \r |
| 129 | just an article from 2015 [1]https://en.internetwache.org/d...\r |
| 130 | [internetwache.org]\r |
| 131 | I can give you also next year's article about .file\r |
| 132 | vulnerabilities. (spoiler alert)\r |
| 133 | [2]https://en.internetwache.org/s... [internetwache.org]\r |
| 134 | \r |
| 135 | \r |
| 136 | \r |
| 137 | \r |
| 138 | [1]\r |
| 139 | https://en.internetwache.org/dont-publicly-expose-git-or-how-we-\r |
| 140 | downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-\r |
| 141 | 07-2015/\r |
| 142 | [2]\r |
| 143 | https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-\r |
| 144 | ore-files-12-03-2018/\r |
| 145 | \r |
| 146 | ** \r |
| 147 | \r |
| 148 | ** KKK (Score:2)\r |
| 149 | (by Tsolias ( 2813011 ))\r |
| 150 | \r |
| 151 | \r |
| 152 | > Thats what you get on hiring those bootcamp "graduates"\r |
| 153 | Kode w/ Karlie Kloss, like it or not.\r |
| 154 | \r |
| 155 | \r |
| 156 | ** Alternate headline: 99.8% websites are OK (Score:2)\r |
| 157 | (by jmichaelg ( 148257 ))\r |
| 158 | \r |
| 159 | \r |
| 160 | 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is\r |
| 161 | less than 0.2% of websites surveyed screwed this up.\r |
| 162 | 400k is a big number but it's good to know most developers\r |
| 163 | aren't that stupid on this issue.\r |
| 164 | \r |
| 165 | ** \r |
| 166 | \r |
| 167 | ** Re: yarn dist (Score:2)\r |
| 168 | (by TimMD909 ( 260285 ))\r |
| 169 | \r |
| 170 | \r |
| 171 | ... Equifax types for free security tests from 3rd parties\r |
| 172 | and press coverage, presumably...\r |
| 173 | \r |
| 174 | \r |
| 175 | ** So? (Score:2)\r |
| 176 | (by cshark ( 673578 ))\r |
| 177 | \r |
| 178 | \r |
| 179 | An open git directory will be everything you need to reconstruct\r |
| 180 | the site, more often than not from the same server you're\r |
| 181 | targeting. Scary. Database servers are rarely open. Short of\r |
| 182 | some serious hacking, there isn't a lot you're going to be able\r |
| 183 | to do with this stuff once you've obtained the information\r |
| 184 | you're waving around here.\r |
| 185 | Until such time as I see hackers actually logging in with this\r |
| 186 | information and defacing github, I'm going to remain unconvinced\r |
| 187 | of the severity of this one.\r |
| 188 | \r |
| 189 | ** Re: (Score:2)\r |
| 190 | (by OrangeTide ( 124937 ))\r |
| 191 | \r |
| 192 | \r |
| 193 | My website's .git directories are open intentionally. Makes\r |
| 194 | for convenient mirroring and viewing of archives without\r |
| 195 | having to hope and pray wayback machine picked up my obscure\r |
| 196 | website.\r |
| 197 | I'm not too worried. It's just data on the filesystem, it's\r |
| 198 | not executing programs. And the data is not supposed to\r |
| 199 | contain any secrets. If it ever does then I better rewrite my\r |
| 200 | git history.\r |
| 201 | \r |
| 202 | \r |
| 203 | ** Re: (Score:1)\r |
| 204 | (by Anonymous Coward)\r |
| 205 | \r |
| 206 | \r |
| 207 | The most likely actual security implication is hard coded\r |
| 208 | keys to 3rd party APIs.\r |
| 209 | Not that this is an inevitable threat, itâ(TM)s just\r |
| 210 | something I could see being inadvertently exposed and useful\r |
| 211 | without much additional effort.\r |
| 212 | \r |
| 213 | ** Re: (Score:1)\r |
| 214 | (by Orrin Bloquy ( 898571 ))\r |
| 215 | \r |
| 216 | \r |
| 217 | > itâ(TM)s\r |
| 218 | Clear something up, are you typing curly\r |
| 219 | quotes/apostrophes on purpose or do you have your browser\r |
| 220 | configured to automatically do that.\r |
| 221 | \r |
| 222 | \r |
| 223 | \r |
| 224 | ** Re: (Score:2)\r |
| 225 | (by jonwil ( 467024 ))\r |
| 226 | \r |
| 227 | \r |
| 228 | What about if that .git folder (and the website's source\r |
| 229 | code) included private keys for stuff. Or credentials/API\r |
| 230 | keys for 3rd party services. Or credentials for database and\r |
| 231 | other servers.\r |
| 232 | \r |
| 233 | \r |
| 234 | \r |