Commit | Line | Data |
---|---|---|
299a08f3 NR |
1 | 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES \r |
2 | (SCMAGAZINE.COM) \r | |
3 | \r | |
4 | Thursday September 06, 2018 @11:30PM (msmash)\r | |
5 | from the security-woes dept.\r | |
6 | \r | |
7 | o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories\r | |
8 | o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/\r | |
9 | \r | |
10 | \r | |
11 | Open .git directories are a bigger cybersecurity problem than\r | |
12 | many might imagine, at least according to a Czech security\r | |
13 | researcher who discovered almost 400,000 web pages with an\r | |
14 | open .git directory possibly exposing a wide variety of data.\r | |
15 | From a report: Vladimir Smitka began his .git directory\r | |
16 | odyssey in July when he began looking at Czech websites to\r | |
17 | find how many were improperly configured and allow access to\r | |
18 | their .git folders within the file versions repository. Open\r | |
19 | .git directories are a particularly dangerous issue, he said,\r | |
20 | because they can contain a great deal of sensitive\r | |
21 | information. "Information about the website's structure, and\r | |
22 | sometimes you can get very sensitive data such as database\r | |
23 | passwords, API keys, development IDE settings, and so on.\r | |
24 | However, this data shouldn't be stored in the repository, but\r | |
25 | in previous scans of various security issues, I have found\r | |
26 | many developers that do not follow these best practices,"\r | |
27 | Smitka wrote. Smitka queried 230 million websites to discover\r | |
28 | the 390,000 allowing access to their .git directories. The\r | |
29 | vast majority of the websites with open directories had a .com\r | |
30 | TLD with .net, .de, .org and uk comprising most of the others.\r | |
31 | \r | |
32 | \r | |
33 | ** \r | |
34 | \r | |
35 | ** Re: (Score:2, Informative)\r | |
36 | (by MidSpeck ( 1516577 ))\r | |
37 | \r | |
38 | \r | |
39 | ^/.*/\.git/\r | |
40 | Protect git repositories in all subdirectories as well.\r | |
41 | \r | |
42 | \r | |
43 | ** Re: (Score:2)\r | |
44 | (by jrumney ( 197329 ))\r | |
45 | \r | |
46 | \r | |
47 | Why stop there? Are there any dot files/directories that need\r | |
48 | to be served over HTTP?\r | |
49 | \r | |
50 | \r | |
51 | ** Re: .htaccess (Score:3)\r | |
52 | (by spongman ( 182339 ))\r | |
53 | \r | |
54 | \r | |
55 | Why doesn't Apache block all '.'-prefixed directories by\r | |
56 | default?\r | |
57 | \r | |
58 | \r | |
59 | ** \r | |
60 | \r | |
61 | ** Re:https://slashdot.org/.git (Score:4, Informative)\r | |
62 | (by ls671 ( 1122017 ))\r | |
63 | \r | |
64 | \r | |
65 | Slashdot is still using CVS try [1]https://slashdot.org/CVS/\r | |
66 | [slashdot.org]\r | |
67 | you will see, it works! :)\r | |
68 | \r | |
69 | \r | |
70 | \r | |
71 | \r | |
72 | [1] https://slashdot.org/CVS/\r | |
73 | \r | |
74 | \r | |
75 | ** Your central git repo ... (Score:1)\r | |
76 | (by Qbertino ( 265505 ))\r | |
77 | \r | |
78 | \r | |
79 | ... belongs behind ssh or, at least, behind http access and SSL.\r | |
80 | If I catch you doing otherwise for anything other than FOSS\r | |
81 | software I'll smack you. Hard.\r | |
82 | \r | |
83 | ** Re:Your central git repo ... (Score:4, Informative)\r | |
84 | (by tlhIngan ( 30335 ))\r | |
85 | \r | |
86 | \r | |
87 | > ... belongs behind ssh or, at least, behind http access and\r | |
88 | > SSL.\r | |
89 | > If I catch you doing otherwise for anything other than FOSS\r | |
90 | > software I'll smack you. Hard.\r | |
91 | And it probably is. The thing is, the website owners are\r | |
92 | using git to version control and deploy their website (not a\r | |
93 | bad idea). So they develop their web site, push it to the\r | |
94 | central git repo, and whenever they need to go live, they\r | |
95 | just do a "git pull" on the webserver and it'll pull down the\r | |
96 | latest version of the website.\r | |
97 | Problem is, they forget about the hidden .git directory git\r | |
98 | makes that stores all sorts of useful information and with a\r | |
99 | little persistence, allow you access to the raw source code\r | |
100 | since you can access the individual git objects. (Or maybe\r | |
101 | even clone it using git).\r | |
102 | \r | |
103 | ** Re: (Score:2)\r | |
104 | (by jrumney ( 197329 ))\r | |
105 | \r | |
106 | \r | |
107 | I do this, it is very convenient for deploying updates to\r | |
108 | the site. But I always put the web interface into a\r | |
109 | subdirectory, and only configure the web server to see\r | |
110 | that so the .git directory is not visible over HTTP. And\r | |
111 | dotfiles and directories are blocked in the webserver\r | |
112 | config for extra protection against accidental inclusion\r | |
113 | of invisible files.\r | |
114 | \r | |
115 | \r | |
116 | \r | |
117 | ** reheating yesterday's food (Score:3)\r | |
118 | (by Tsolias ( 2813011 ))\r | |
119 | \r | |
120 | \r | |
121 | just an article from 2015 [1]https://en.internetwache.org/d...\r | |
122 | [internetwache.org]\r | |
123 | I can give you also next year's article about .file\r | |
124 | vulnerabilities. (spoiler alert)\r | |
125 | [2]https://en.internetwache.org/s... [internetwache.org]\r | |
126 | \r | |
127 | \r | |
128 | \r | |
129 | \r | |
130 | [1]\r | |
131 | https://en.internetwache.org/dont-publicly-expose-git-or-how-we-\r | |
132 | downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-\r | |
133 | 07-2015/\r | |
134 | [2]\r | |
135 | https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-\r | |
136 | ore-files-12-03-2018/\r | |
137 | \r | |
138 | ** \r | |
139 | \r | |
140 | ** KKK (Score:2)\r | |
141 | (by Tsolias ( 2813011 ))\r | |
142 | \r | |
143 | \r | |
144 | > Thats what you get on hiring those bootcamp "graduates"\r | |
145 | Kode w/ Karlie Kloss, like it or not.\r | |
146 | \r | |
147 | \r | |
148 | ** Alternate headline: 99.8% websites are OK (Score:2)\r | |
149 | (by jmichaelg ( 148257 ))\r | |
150 | \r | |
151 | \r | |
152 | 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is\r | |
153 | less than 0.2% of websites surveyed screwed this up.\r | |
154 | 400k is a big number but it's good to know most developers\r | |
155 | aren't that stupid on this issue.\r | |
156 | \r | |
157 | ** \r | |
158 | \r | |
159 | ** Re: yarn dist (Score:2)\r | |
160 | (by TimMD909 ( 260285 ))\r | |
161 | \r | |
162 | \r | |
163 | ... Equifax types for free security tests from 3rd parties\r | |
164 | and press coverage, presumably...\r | |
165 | \r | |
166 | \r | |
167 | ** So? (Score:2)\r | |
168 | (by cshark ( 673578 ))\r | |
169 | \r | |
170 | \r | |
171 | An open git directory will be everything you need to reconstruct\r | |
172 | the site, more often than not from the same server you're\r | |
173 | targeting. Scary. Database servers are rarely open. Short of\r | |
174 | some serious hacking, there isn't a lot you're going to be able\r | |
175 | to do with this stuff once you've obtained the information\r | |
176 | you're waving around here.\r | |
177 | Until such time as I see hackers actually logging in with this\r | |
178 | information and defacing github, I'm going to remain unconvinced\r | |
179 | of the severity of this one.\r | |
180 | \r | |
181 | ** Re: (Score:2)\r | |
182 | (by OrangeTide ( 124937 ))\r | |
183 | \r | |
184 | \r | |
185 | My website's .git directories are open intentionally. Makes\r | |
186 | for convenient mirroring and viewing of archives without\r | |
187 | having to hope and pray wayback machine picked up my obscure\r | |
188 | website.\r | |
189 | I'm not too worried. It's just data on the filesystem, it's\r | |
190 | not executing programs. And the data is not supposed to\r | |
191 | contain any secrets. If it ever does then I better rewrite my\r | |
192 | git history.\r | |
193 | \r | |
194 | \r | |
195 | ** Re: (Score:1)\r | |
196 | (by Anonymous Coward)\r | |
197 | \r | |
198 | \r | |
199 | The most likely actual security implication is hard coded\r | |
200 | keys to 3rd party APIs.\r | |
201 | Not that this is an inevitable threat, itâ(TM)s just\r | |
202 | something I could see being inadvertently exposed and useful\r | |
203 | without much additional effort.\r | |
204 | \r | |
205 | ** Re: (Score:1)\r | |
206 | (by Orrin Bloquy ( 898571 ))\r | |
207 | \r | |
208 | \r | |
209 | > itâ(TM)s\r | |
210 | Clear something up, are you typing curly\r | |
211 | quotes/apostrophes on purpose or do you have your browser\r | |
212 | configured to automatically do that.\r | |
213 | \r | |
214 | \r | |
215 | \r | |
216 | ** Re: (Score:2)\r | |
217 | (by jonwil ( 467024 ))\r | |
218 | \r | |
219 | \r | |
220 | What about if that .git folder (and the website's source\r | |
221 | code) included private keys for stuff. Or credentials/API\r | |
222 | keys for 3rd party services. Or credentials for database and\r | |
223 | other servers.\r | |
224 | \r | |
225 | \r | |
226 | \r |