Commit | Line | Data |
---|---|---|
299a08f3 NR |
1 | 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES \r |
2 | (SCMAGAZINE.COM) \r | |
3 | \r | |
4 | Thursday September 06, 2018 @11:30PM (msmash)\r | |
5 | from the security-woes dept.\r | |
6 | \r | |
c715ea02 | 7 | o Reference: 0102639752\r |
299a08f3 NR |
8 | o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories\r |
9 | o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/\r | |
10 | \r | |
11 | \r | |
12 | Open .git directories are a bigger cybersecurity problem than\r | |
13 | many might imagine, at least according to a Czech security\r | |
e818d449 | 14 | researcher who [1]discovered almost 400,000 web pages with an\r |
299a08f3 | 15 | open .git directory possibly exposing a wide variety of data.\r |
e818d449 NR |
16 | From a report:\r |
17 | \r | |
18 | > Vladimir Smitka began his .git directory odyssey in July\r | |
19 | when he began looking at Czech websites to find how many were\r | |
20 | improperly configured and allow access to their .git folders\r | |
21 | within the file versions repository. Open .git directories are\r | |
22 | a particularly dangerous issue, he said, because they can\r | |
23 | contain a great deal of sensitive information. "Information\r | |
24 | about the website's structure, and sometimes you can get very\r | |
25 | sensitive data such as database passwords, API keys,\r | |
26 | development IDE settings, and so on. However, this data\r | |
27 | shouldn't be stored in the repository, but in previous scans\r | |
28 | of various security issues, I have found many developers that\r | |
29 | do not follow these best practices," Smitka wrote. Smitka\r | |
30 | queried 230 million websites to discover the 390,000 allowing\r | |
31 | access to their .git directories. The vast majority of the\r | |
32 | websites with open directories had a .com TLD with .net, .de,\r | |
33 | .org and uk comprising most of the others.\r | |
34 | \r | |
35 | \r | |
36 | \r | |
37 | [1] https://www.scmagazine.com/home/news/400000-websites-vulne-\r | |
38 | rable-through-exposed-git-directories/\r | |
299a08f3 NR |
39 | \r |
40 | \r | |
41 | ** \r | |
42 | \r | |
43 | ** Re: (Score:2, Informative)\r | |
44 | (by MidSpeck ( 1516577 ))\r | |
45 | \r | |
46 | \r | |
47 | ^/.*/\.git/\r | |
48 | Protect git repositories in all subdirectories as well.\r | |
49 | \r | |
50 | \r | |
51 | ** Re: (Score:2)\r | |
52 | (by jrumney ( 197329 ))\r | |
53 | \r | |
54 | \r | |
55 | Why stop there? Are there any dot files/directories that need\r | |
56 | to be served over HTTP?\r | |
57 | \r | |
58 | \r | |
59 | ** Re: .htaccess (Score:3)\r | |
60 | (by spongman ( 182339 ))\r | |
61 | \r | |
62 | \r | |
63 | Why doesn't Apache block all '.'-prefixed directories by\r | |
64 | default?\r | |
65 | \r | |
66 | \r | |
67 | ** \r | |
68 | \r | |
69 | ** Re:https://slashdot.org/.git (Score:4, Informative)\r | |
70 | (by ls671 ( 1122017 ))\r | |
71 | \r | |
72 | \r | |
73 | Slashdot is still using CVS try [1]https://slashdot.org/CVS/\r | |
74 | [slashdot.org]\r | |
75 | you will see, it works! :)\r | |
76 | \r | |
77 | \r | |
78 | \r | |
79 | \r | |
80 | [1] https://slashdot.org/CVS/\r | |
81 | \r | |
82 | \r | |
83 | ** Your central git repo ... (Score:1)\r | |
84 | (by Qbertino ( 265505 ))\r | |
85 | \r | |
86 | \r | |
87 | ... belongs behind ssh or, at least, behind http access and SSL.\r | |
88 | If I catch you doing otherwise for anything other than FOSS\r | |
89 | software I'll smack you. Hard.\r | |
90 | \r | |
91 | ** Re:Your central git repo ... (Score:4, Informative)\r | |
92 | (by tlhIngan ( 30335 ))\r | |
93 | \r | |
94 | \r | |
95 | > ... belongs behind ssh or, at least, behind http access and\r | |
96 | > SSL.\r | |
97 | > If I catch you doing otherwise for anything other than FOSS\r | |
98 | > software I'll smack you. Hard.\r | |
99 | And it probably is. The thing is, the website owners are\r | |
100 | using git to version control and deploy their website (not a\r | |
101 | bad idea). So they develop their web site, push it to the\r | |
102 | central git repo, and whenever they need to go live, they\r | |
103 | just do a "git pull" on the webserver and it'll pull down the\r | |
104 | latest version of the website.\r | |
105 | Problem is, they forget about the hidden .git directory git\r | |
106 | makes that stores all sorts of useful information and with a\r | |
107 | little persistence, allow you access to the raw source code\r | |
108 | since you can access the individual git objects. (Or maybe\r | |
109 | even clone it using git).\r | |
110 | \r | |
111 | ** Re: (Score:2)\r | |
112 | (by jrumney ( 197329 ))\r | |
113 | \r | |
114 | \r | |
115 | I do this, it is very convenient for deploying updates to\r | |
116 | the site. But I always put the web interface into a\r | |
117 | subdirectory, and only configure the web server to see\r | |
118 | that so the .git directory is not visible over HTTP. And\r | |
119 | dotfiles and directories are blocked in the webserver\r | |
120 | config for extra protection against accidental inclusion\r | |
121 | of invisible files.\r | |
122 | \r | |
123 | \r | |
124 | \r | |
125 | ** reheating yesterday's food (Score:3)\r | |
126 | (by Tsolias ( 2813011 ))\r | |
127 | \r | |
128 | \r | |
129 | just an article from 2015 [1]https://en.internetwache.org/d...\r | |
130 | [internetwache.org]\r | |
131 | I can give you also next year's article about .file\r | |
132 | vulnerabilities. (spoiler alert)\r | |
133 | [2]https://en.internetwache.org/s... [internetwache.org]\r | |
134 | \r | |
135 | \r | |
136 | \r | |
137 | \r | |
138 | [1]\r | |
139 | https://en.internetwache.org/dont-publicly-expose-git-or-how-we-\r | |
140 | downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-\r | |
141 | 07-2015/\r | |
142 | [2]\r | |
143 | https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-\r | |
144 | ore-files-12-03-2018/\r | |
145 | \r | |
146 | ** \r | |
147 | \r | |
148 | ** KKK (Score:2)\r | |
149 | (by Tsolias ( 2813011 ))\r | |
150 | \r | |
151 | \r | |
152 | > Thats what you get on hiring those bootcamp "graduates"\r | |
153 | Kode w/ Karlie Kloss, like it or not.\r | |
154 | \r | |
155 | \r | |
156 | ** Alternate headline: 99.8% websites are OK (Score:2)\r | |
157 | (by jmichaelg ( 148257 ))\r | |
158 | \r | |
159 | \r | |
160 | 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is\r | |
161 | less than 0.2% of websites surveyed screwed this up.\r | |
162 | 400k is a big number but it's good to know most developers\r | |
163 | aren't that stupid on this issue.\r | |
164 | \r | |
165 | ** \r | |
166 | \r | |
167 | ** Re: yarn dist (Score:2)\r | |
168 | (by TimMD909 ( 260285 ))\r | |
169 | \r | |
170 | \r | |
171 | ... Equifax types for free security tests from 3rd parties\r | |
172 | and press coverage, presumably...\r | |
173 | \r | |
174 | \r | |
175 | ** So? (Score:2)\r | |
176 | (by cshark ( 673578 ))\r | |
177 | \r | |
178 | \r | |
179 | An open git directory will be everything you need to reconstruct\r | |
180 | the site, more often than not from the same server you're\r | |
181 | targeting. Scary. Database servers are rarely open. Short of\r | |
182 | some serious hacking, there isn't a lot you're going to be able\r | |
183 | to do with this stuff once you've obtained the information\r | |
184 | you're waving around here.\r | |
185 | Until such time as I see hackers actually logging in with this\r | |
186 | information and defacing github, I'm going to remain unconvinced\r | |
187 | of the severity of this one.\r | |
188 | \r | |
189 | ** Re: (Score:2)\r | |
190 | (by OrangeTide ( 124937 ))\r | |
191 | \r | |
192 | \r | |
193 | My website's .git directories are open intentionally. Makes\r | |
194 | for convenient mirroring and viewing of archives without\r | |
195 | having to hope and pray wayback machine picked up my obscure\r | |
196 | website.\r | |
197 | I'm not too worried. It's just data on the filesystem, it's\r | |
198 | not executing programs. And the data is not supposed to\r | |
199 | contain any secrets. If it ever does then I better rewrite my\r | |
200 | git history.\r | |
201 | \r | |
202 | \r | |
203 | ** Re: (Score:1)\r | |
204 | (by Anonymous Coward)\r | |
205 | \r | |
206 | \r | |
207 | The most likely actual security implication is hard coded\r | |
208 | keys to 3rd party APIs.\r | |
209 | Not that this is an inevitable threat, itâ(TM)s just\r | |
210 | something I could see being inadvertently exposed and useful\r | |
211 | without much additional effort.\r | |
212 | \r | |
213 | ** Re: (Score:1)\r | |
214 | (by Orrin Bloquy ( 898571 ))\r | |
215 | \r | |
216 | \r | |
217 | > itâ(TM)s\r | |
218 | Clear something up, are you typing curly\r | |
219 | quotes/apostrophes on purpose or do you have your browser\r | |
220 | configured to automatically do that.\r | |
221 | \r | |
222 | \r | |
223 | \r | |
224 | ** Re: (Score:2)\r | |
225 | (by jonwil ( 467024 ))\r | |
226 | \r | |
227 | \r | |
228 | What about if that .git folder (and the website's source\r | |
229 | code) included private keys for stuff. Or credentials/API\r | |
230 | keys for 3rd party services. Or credentials for database and\r | |
231 | other servers.\r | |
232 | \r | |
233 | \r | |
234 | \r |