1 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES
4 Thursday September 06, 2018 @11:30PM (msmash)
5 from the security-woes dept.
7 o Reference: 0102639752
8 o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories
9 o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/
12 Open .git directories are a bigger cybersecurity problem than
13 many might imagine, at least according to a Czech security
14 researcher who discovered almost 400,000 web pages with an
15 open .git directory possibly exposing a wide variety of data.
16 From a report: Vladimir Smitka began his .git directory
17 odyssey in July when he began looking at Czech websites to
18 find how many were improperly configured and allow access to
19 their .git folders within the file versions repository. Open
20 .git directories are a particularly dangerous issue, he said,
21 because they can contain a great deal of sensitive
22 information. "Information about the website's structure, and
23 sometimes you can get very sensitive data such as database
24 passwords, API keys, development IDE settings, and so on.
25 However, this data shouldn't be stored in the repository, but
26 in previous scans of various security issues, I have found
27 many developers that do not follow these best practices,"
28 Smitka wrote. Smitka queried 230 million websites to discover
29 the 390,000 allowing access to their .git directories. The
30 vast majority of the websites with open directories had a .com
31 TLD with .net, .de, .org and uk comprising most of the others.
36 ** Re: (Score:2, Informative)
37 (by MidSpeck ( 1516577 ))
41 Protect git repositories in all subdirectories as well.
45 (by jrumney ( 197329 ))
48 Why stop there? Are there any dot files/directories that need
49 to be served over HTTP?
52 ** Re: .htaccess (Score:3)
53 (by spongman ( 182339 ))
56 Why doesn't Apache block all '.'-prefixed directories by
62 ** Re:https://slashdot.org/.git (Score:4, Informative)
63 (by ls671 ( 1122017 ))
66 Slashdot is still using CVS try [1]https://slashdot.org/CVS/
68 you will see, it works! :)
73 [1] https://slashdot.org/CVS/
76 ** Your central git repo ... (Score:1)
77 (by Qbertino ( 265505 ))
80 ... belongs behind ssh or, at least, behind http access and SSL.
81 If I catch you doing otherwise for anything other than FOSS
82 software I'll smack you. Hard.
84 ** Re:Your central git repo ... (Score:4, Informative)
85 (by tlhIngan ( 30335 ))
88 > ... belongs behind ssh or, at least, behind http access and
90 > If I catch you doing otherwise for anything other than FOSS
91 > software I'll smack you. Hard.
92 And it probably is. The thing is, the website owners are
93 using git to version control and deploy their website (not a
94 bad idea). So they develop their web site, push it to the
95 central git repo, and whenever they need to go live, they
96 just do a "git pull" on the webserver and it'll pull down the
97 latest version of the website.
98 Problem is, they forget about the hidden .git directory git
99 makes that stores all sorts of useful information and with a
100 little persistence, allow you access to the raw source code
101 since you can access the individual git objects. (Or maybe
102 even clone it using git).
105 (by jrumney ( 197329 ))
108 I do this, it is very convenient for deploying updates to
109 the site. But I always put the web interface into a
110 subdirectory, and only configure the web server to see
111 that so the .git directory is not visible over HTTP. And
112 dotfiles and directories are blocked in the webserver
113 config for extra protection against accidental inclusion
118 ** reheating yesterday's food (Score:3)
119 (by Tsolias ( 2813011 ))
122 just an article from 2015 [1]https://en.internetwache.org/d...
124 I can give you also next year's article about .file
125 vulnerabilities. (spoiler alert)
126 [2]https://en.internetwache.org/s... [internetwache.org]
132 https://en.internetwache.org/dont-publicly-expose-git-or-how-we-
133 downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-
136 https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-
137 ore-files-12-03-2018/
142 (by Tsolias ( 2813011 ))
145 > Thats what you get on hiring those bootcamp "graduates"
146 Kode w/ Karlie Kloss, like it or not.
149 ** Alternate headline: 99.8% websites are OK (Score:2)
150 (by jmichaelg ( 148257 ))
153 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is
154 less than 0.2% of websites surveyed screwed this up.
155 400k is a big number but it's good to know most developers
156 aren't that stupid on this issue.
160 ** Re: yarn dist (Score:2)
161 (by TimMD909 ( 260285 ))
164 ... Equifax types for free security tests from 3rd parties
165 and press coverage, presumably...
169 (by cshark ( 673578 ))
172 An open git directory will be everything you need to reconstruct
173 the site, more often than not from the same server you're
174 targeting. Scary. Database servers are rarely open. Short of
175 some serious hacking, there isn't a lot you're going to be able
176 to do with this stuff once you've obtained the information
177 you're waving around here.
178 Until such time as I see hackers actually logging in with this
179 information and defacing github, I'm going to remain unconvinced
180 of the severity of this one.
183 (by OrangeTide ( 124937 ))
186 My website's .git directories are open intentionally. Makes
187 for convenient mirroring and viewing of archives without
188 having to hope and pray wayback machine picked up my obscure
190 I'm not too worried. It's just data on the filesystem, it's
191 not executing programs. And the data is not supposed to
192 contain any secrets. If it ever does then I better rewrite my
197 (by Anonymous Coward)
200 The most likely actual security implication is hard coded
201 keys to 3rd party APIs.
202 Not that this is an inevitable threat, itâ(TM)s just
203 something I could see being inadvertently exposed and useful
204 without much additional effort.
207 (by Orrin Bloquy ( 898571 ))
211 Clear something up, are you typing curly
212 quotes/apostrophes on purpose or do you have your browser
213 configured to automatically do that.
218 (by jonwil ( 467024 ))
221 What about if that .git folder (and the website's source
222 code) included private keys for stuff. Or credentials/API
223 keys for 3rd party services. Or credentials for database and