git://git.nikiroo.be / gofetch.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of github.com:nikiroo/gofetch
[gofetch.git] / test / expected / SLASHDOT / 0102639752
1 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES
2 (SCMAGAZINE.COM)
3
4 Thursday September 06, 2018 @11:30PM (msmash)
5 from the security-woes dept.
6
7 o Reference: 0102639752
8 o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories
9 o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/
10
11
12 Open .git directories are a bigger cybersecurity problem than
13 many might imagine, at least according to a Czech security
14 researcher who [1]discovered almost 400,000 web pages with an
15 open .git directory possibly exposing a wide variety of data.
16 From a report:
17
18 > Vladimir Smitka began his .git directory odyssey in July
19 when he began looking at Czech websites to find how many were
20 improperly configured and allow access to their .git folders
21 within the file versions repository. Open .git directories are
22 a particularly dangerous issue, he said, because they can
23 contain a great deal of sensitive information. "Information
24 about the website's structure, and sometimes you can get very
25 sensitive data such as database passwords, API keys,
26 development IDE settings, and so on. However, this data
27 shouldn't be stored in the repository, but in previous scans
28 of various security issues, I have found many developers that
29 do not follow these best practices," Smitka wrote. Smitka
30 queried 230 million websites to discover the 390,000 allowing
31 access to their .git directories. The vast majority of the
32 websites with open directories had a .com TLD with .net, .de,
33 .org and uk comprising most of the others.
34
35
36
37 [1] https://www.scmagazine.com/home/news/400000-websites-vulne-
38 rable-through-exposed-git-directories/
39
40
41 **
42
43 ** Re: (Score:2, Informative)
44 (by MidSpeck ( 1516577 ))
45
46
47 ^/.*/\.git/
48 Protect git repositories in all subdirectories as well.
49
50
51 ** Re: (Score:2)
52 (by jrumney ( 197329 ))
53
54
55 Why stop there? Are there any dot files/directories that need
56 to be served over HTTP?
57
58
59 ** Re: .htaccess (Score:3)
60 (by spongman ( 182339 ))
61
62
63 Why doesn't Apache block all '.'-prefixed directories by
64 default?
65
66
67 **
68
69 ** Re:https://slashdot.org/.git (Score:4, Informative)
70 (by ls671 ( 1122017 ))
71
72
73 Slashdot is still using CVS try [1]https://slashdot.org/CVS/
74 [slashdot.org]
75 you will see, it works! :)
76
77
78
79
80 [1] https://slashdot.org/CVS/
81
82
83 ** Your central git repo ... (Score:1)
84 (by Qbertino ( 265505 ))
85
86
87 ... belongs behind ssh or, at least, behind http access and SSL.
88 If I catch you doing otherwise for anything other than FOSS
89 software I'll smack you. Hard.
90
91 ** Re:Your central git repo ... (Score:4, Informative)
92 (by tlhIngan ( 30335 ))
93
94
95 > ... belongs behind ssh or, at least, behind http access and
96 > SSL.
97 > If I catch you doing otherwise for anything other than FOSS
98 > software I'll smack you. Hard.
99 And it probably is. The thing is, the website owners are
100 using git to version control and deploy their website (not a
101 bad idea). So they develop their web site, push it to the
102 central git repo, and whenever they need to go live, they
103 just do a "git pull" on the webserver and it'll pull down the
104 latest version of the website.
105 Problem is, they forget about the hidden .git directory git
106 makes that stores all sorts of useful information and with a
107 little persistence, allow you access to the raw source code
108 since you can access the individual git objects. (Or maybe
109 even clone it using git).
110
111 ** Re: (Score:2)
112 (by jrumney ( 197329 ))
113
114
115 I do this, it is very convenient for deploying updates to
116 the site. But I always put the web interface into a
117 subdirectory, and only configure the web server to see
118 that so the .git directory is not visible over HTTP. And
119 dotfiles and directories are blocked in the webserver
120 config for extra protection against accidental inclusion
121 of invisible files.
122
123
124
125 ** reheating yesterday's food (Score:3)
126 (by Tsolias ( 2813011 ))
127
128
129 just an article from 2015 [1]https://en.internetwache.org/d...
130 [internetwache.org]
131 I can give you also next year's article about .file
132 vulnerabilities. (spoiler alert)
133 [2]https://en.internetwache.org/s... [internetwache.org]
134
135
136
137
138 [1]
139 https://en.internetwache.org/dont-publicly-expose-git-or-how-we-
140 downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-
141 07-2015/
142 [2]
143 https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-
144 ore-files-12-03-2018/
145
146 **
147
148 ** KKK (Score:2)
149 (by Tsolias ( 2813011 ))
150
151
152 > Thats what you get on hiring those bootcamp "graduates"
153 Kode w/ Karlie Kloss, like it or not.
154
155
156 ** Alternate headline: 99.8% websites are OK (Score:2)
157 (by jmichaelg ( 148257 ))
158
159
160 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is
161 less than 0.2% of websites surveyed screwed this up.
162 400k is a big number but it's good to know most developers
163 aren't that stupid on this issue.
164
165 **
166
167 ** Re: yarn dist (Score:2)
168 (by TimMD909 ( 260285 ))
169
170
171 ... Equifax types for free security tests from 3rd parties
172 and press coverage, presumably...
173
174
175 ** So? (Score:2)
176 (by cshark ( 673578 ))
177
178
179 An open git directory will be everything you need to reconstruct
180 the site, more often than not from the same server you're
181 targeting. Scary. Database servers are rarely open. Short of
182 some serious hacking, there isn't a lot you're going to be able
183 to do with this stuff once you've obtained the information
184 you're waving around here.
185 Until such time as I see hackers actually logging in with this
186 information and defacing github, I'm going to remain unconvinced
187 of the severity of this one.
188
189 ** Re: (Score:2)
190 (by OrangeTide ( 124937 ))
191
192
193 My website's .git directories are open intentionally. Makes
194 for convenient mirroring and viewing of archives without
195 having to hope and pray wayback machine picked up my obscure
196 website.
197 I'm not too worried. It's just data on the filesystem, it's
198 not executing programs. And the data is not supposed to
199 contain any secrets. If it ever does then I better rewrite my
200 git history.
201
202
203 ** Re: (Score:1)
204 (by Anonymous Coward)
205
206
207 The most likely actual security implication is hard coded
208 keys to 3rd party APIs.
209 Not that this is an inevitable threat, itâ(TM)s just
210 something I could see being inadvertently exposed and useful
211 without much additional effort.
212
213 ** Re: (Score:1)
214 (by Orrin Bloquy ( 898571 ))
215
216
217 > itâ(TM)s
218 Clear something up, are you typing curly
219 quotes/apostrophes on purpose or do you have your browser
220 configured to automatically do that.
221
222
223
224 ** Re: (Score:2)
225 (by jonwil ( 467024 ))
226
227
228 What about if that .git folder (and the website's source
229 code) included private keys for stuff. Or credentials/API
230 keys for 3rd party services. Or credentials for database and
231 other servers.
232
233
234
Gopher news scrapper