--- /dev/null
+ 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES \r
+ (SCMAGAZINE.COM) \r
+\r
+ Thursday September 06, 2018 @11:30PM (msmash)\r
+ from the security-woes dept.\r
+\r
+ o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories\r
+ o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/\r
+\r
+\r
+ Open .git directories are a bigger cybersecurity problem than\r
+ many might imagine, at least according to a Czech security\r
+ researcher who discovered almost 400,000 web pages with an\r
+ open .git directory possibly exposing a wide variety of data.\r
+ From a report: Vladimir Smitka began his .git directory\r
+ odyssey in July when he began looking at Czech websites to\r
+ find how many were improperly configured and allow access to\r
+ their .git folders within the file versions repository. Open\r
+ .git directories are a particularly dangerous issue, he said,\r
+ because they can contain a great deal of sensitive\r
+ information. "Information about the website's structure, and\r
+ sometimes you can get very sensitive data such as database\r
+ passwords, API keys, development IDE settings, and so on.\r
+ However, this data shouldn't be stored in the repository, but\r
+ in previous scans of various security issues, I have found\r
+ many developers that do not follow these best practices,"\r
+ Smitka wrote. Smitka queried 230 million websites to discover\r
+ the 390,000 allowing access to their .git directories. The\r
+ vast majority of the websites with open directories had a .com\r
+ TLD with .net, .de, .org and uk comprising most of the others.\r
+\r
+\r
+ ** \r
+\r
+ ** Re: (Score:2, Informative)\r
+ (by MidSpeck ( 1516577 ))\r
+\r
+ \r
+ ^/.*/\.git/\r
+ Protect git repositories in all subdirectories as well.\r
+\r
+\r
+ ** Re: (Score:2)\r
+ (by jrumney ( 197329 ))\r
+\r
+ \r
+ Why stop there? Are there any dot files/directories that need\r
+ to be served over HTTP?\r
+\r
+\r
+ ** Re: .htaccess (Score:3)\r
+ (by spongman ( 182339 ))\r
+\r
+ \r
+ Why doesn't Apache block all '.'-prefixed directories by\r
+ default?\r
+\r
+\r
+ ** \r
+\r
+ ** Re:https://slashdot.org/.git (Score:4, Informative)\r
+ (by ls671 ( 1122017 ))\r
+\r
+ \r
+ Slashdot is still using CVS try [1]https://slashdot.org/CVS/\r
+ [slashdot.org]\r
+ you will see, it works! :)\r
+ \r
+ \r
+ \r
+ \r
+ [1] https://slashdot.org/CVS/\r
+\r
+\r
+ ** Your central git repo ... (Score:1)\r
+ (by Qbertino ( 265505 ))\r
+\r
+ \r
+ ... belongs behind ssh or, at least, behind http access and SSL.\r
+ If I catch you doing otherwise for anything other than FOSS\r
+ software I'll smack you. Hard.\r
+\r
+ ** Re:Your central git repo ... (Score:4, Informative)\r
+ (by tlhIngan ( 30335 ))\r
+\r
+ \r
+ > ... belongs behind ssh or, at least, behind http access and\r
+ > SSL.\r
+ > If I catch you doing otherwise for anything other than FOSS\r
+ > software I'll smack you. Hard.\r
+ And it probably is. The thing is, the website owners are\r
+ using git to version control and deploy their website (not a\r
+ bad idea). So they develop their web site, push it to the\r
+ central git repo, and whenever they need to go live, they\r
+ just do a "git pull" on the webserver and it'll pull down the\r
+ latest version of the website.\r
+ Problem is, they forget about the hidden .git directory git\r
+ makes that stores all sorts of useful information and with a\r
+ little persistence, allow you access to the raw source code\r
+ since you can access the individual git objects. (Or maybe\r
+ even clone it using git).\r
+\r
+ ** Re: (Score:2)\r
+ (by jrumney ( 197329 ))\r
+\r
+ \r
+ I do this, it is very convenient for deploying updates to\r
+ the site. But I always put the web interface into a\r
+ subdirectory, and only configure the web server to see\r
+ that so the .git directory is not visible over HTTP. And\r
+ dotfiles and directories are blocked in the webserver\r
+ config for extra protection against accidental inclusion\r
+ of invisible files.\r
+\r
+\r
+\r
+ ** reheating yesterday's food (Score:3)\r
+ (by Tsolias ( 2813011 ))\r
+\r
+ \r
+ just an article from 2015 [1]https://en.internetwache.org/d...\r
+ [internetwache.org]\r
+ I can give you also next year's article about .file\r
+ vulnerabilities. (spoiler alert)\r
+ [2]https://en.internetwache.org/s... [internetwache.org]\r
+ \r
+ \r
+ \r
+ \r
+ [1]\r
+ https://en.internetwache.org/dont-publicly-expose-git-or-how-we-\r
+ downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-\r
+ 07-2015/\r
+ [2]\r
+ https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-\r
+ ore-files-12-03-2018/\r
+\r
+ ** \r
+\r
+ ** KKK (Score:2)\r
+ (by Tsolias ( 2813011 ))\r
+\r
+ \r
+ > Thats what you get on hiring those bootcamp "graduates"\r
+ Kode w/ Karlie Kloss, like it or not.\r
+\r
+\r
+ ** Alternate headline: 99.8% websites are OK (Score:2)\r
+ (by jmichaelg ( 148257 ))\r
+\r
+ \r
+ 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is\r
+ less than 0.2% of websites surveyed screwed this up.\r
+ 400k is a big number but it's good to know most developers\r
+ aren't that stupid on this issue.\r
+\r
+ ** \r
+\r
+ ** Re: yarn dist (Score:2)\r
+ (by TimMD909 ( 260285 ))\r
+\r
+ \r
+ ... Equifax types for free security tests from 3rd parties\r
+ and press coverage, presumably...\r
+\r
+\r
+ ** So? (Score:2)\r
+ (by cshark ( 673578 ))\r
+\r
+ \r
+ An open git directory will be everything you need to reconstruct\r
+ the site, more often than not from the same server you're\r
+ targeting. Scary. Database servers are rarely open. Short of\r
+ some serious hacking, there isn't a lot you're going to be able\r
+ to do with this stuff once you've obtained the information\r
+ you're waving around here.\r
+ Until such time as I see hackers actually logging in with this\r
+ information and defacing github, I'm going to remain unconvinced\r
+ of the severity of this one.\r
+\r
+ ** Re: (Score:2)\r
+ (by OrangeTide ( 124937 ))\r
+\r
+ \r
+ My website's .git directories are open intentionally. Makes\r
+ for convenient mirroring and viewing of archives without\r
+ having to hope and pray wayback machine picked up my obscure\r
+ website.\r
+ I'm not too worried. It's just data on the filesystem, it's\r
+ not executing programs. And the data is not supposed to\r
+ contain any secrets. If it ever does then I better rewrite my\r
+ git history.\r
+\r
+\r
+ ** Re: (Score:1)\r
+ (by Anonymous Coward)\r
+\r
+ \r
+ The most likely actual security implication is hard coded\r
+ keys to 3rd party APIs.\r
+ Not that this is an inevitable threat, itâ(TM)s just\r
+ something I could see being inadvertently exposed and useful\r
+ without much additional effort.\r
+\r
+ ** Re: (Score:1)\r
+ (by Orrin Bloquy ( 898571 ))\r
+\r
+ \r
+ > itâ(TM)s\r
+ Clear something up, are you typing curly\r
+ quotes/apostrophes on purpose or do you have your browser\r
+ configured to automatically do that.\r
+\r
+\r
+\r
+ ** Re: (Score:2)\r
+ (by jonwil ( 467024 ))\r
+\r
+ \r
+ What about if that .git folder (and the website's source\r
+ code) included private keys for stuff. Or credentials/API\r
+ keys for 3rd party services. Or credentials for database and\r
+ other servers.\r
+\r
+\r
+\r