| 1 | 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES \r |
| 2 | (SCMAGAZINE.COM) \r |
| 3 | \r |
| 4 | Thursday September 06, 2018 @11:30PM (msmash)\r |
| 5 | from the security-woes dept.\r |
| 6 | \r |
| 7 | o Reference: 0102639752\r |
| 8 | o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories\r |
| 9 | o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/\r |
| 10 | \r |
| 11 | \r |
| 12 | Open .git directories are a bigger cybersecurity problem than\r |
| 13 | many might imagine, at least according to a Czech security\r |
| 14 | researcher who discovered almost 400,000 web pages with an\r |
| 15 | open .git directory possibly exposing a wide variety of data.\r |
| 16 | From a report: Vladimir Smitka began his .git directory\r |
| 17 | odyssey in July when he began looking at Czech websites to\r |
| 18 | find how many were improperly configured and allow access to\r |
| 19 | their .git folders within the file versions repository. Open\r |
| 20 | .git directories are a particularly dangerous issue, he said,\r |
| 21 | because they can contain a great deal of sensitive\r |
| 22 | information. "Information about the website's structure, and\r |
| 23 | sometimes you can get very sensitive data such as database\r |
| 24 | passwords, API keys, development IDE settings, and so on.\r |
| 25 | However, this data shouldn't be stored in the repository, but\r |
| 26 | in previous scans of various security issues, I have found\r |
| 27 | many developers that do not follow these best practices,"\r |
| 28 | Smitka wrote. Smitka queried 230 million websites to discover\r |
| 29 | the 390,000 allowing access to their .git directories. The\r |
| 30 | vast majority of the websites with open directories had a .com\r |
| 31 | TLD with .net, .de, .org and uk comprising most of the others.\r |
| 32 | \r |
| 33 | \r |
| 34 | ** \r |
| 35 | \r |
| 36 | ** Re: (Score:2, Informative)\r |
| 37 | (by MidSpeck ( 1516577 ))\r |
| 38 | \r |
| 39 | \r |
| 40 | ^/.*/\.git/\r |
| 41 | Protect git repositories in all subdirectories as well.\r |
| 42 | \r |
| 43 | \r |
| 44 | ** Re: (Score:2)\r |
| 45 | (by jrumney ( 197329 ))\r |
| 46 | \r |
| 47 | \r |
| 48 | Why stop there? Are there any dot files/directories that need\r |
| 49 | to be served over HTTP?\r |
| 50 | \r |
| 51 | \r |
| 52 | ** Re: .htaccess (Score:3)\r |
| 53 | (by spongman ( 182339 ))\r |
| 54 | \r |
| 55 | \r |
| 56 | Why doesn't Apache block all '.'-prefixed directories by\r |
| 57 | default?\r |
| 58 | \r |
| 59 | \r |
| 60 | ** \r |
| 61 | \r |
| 62 | ** Re:https://slashdot.org/.git (Score:4, Informative)\r |
| 63 | (by ls671 ( 1122017 ))\r |
| 64 | \r |
| 65 | \r |
| 66 | Slashdot is still using CVS try [1]https://slashdot.org/CVS/\r |
| 67 | [slashdot.org]\r |
| 68 | you will see, it works! :)\r |
| 69 | \r |
| 70 | \r |
| 71 | \r |
| 72 | \r |
| 73 | [1] https://slashdot.org/CVS/\r |
| 74 | \r |
| 75 | \r |
| 76 | ** Your central git repo ... (Score:1)\r |
| 77 | (by Qbertino ( 265505 ))\r |
| 78 | \r |
| 79 | \r |
| 80 | ... belongs behind ssh or, at least, behind http access and SSL.\r |
| 81 | If I catch you doing otherwise for anything other than FOSS\r |
| 82 | software I'll smack you. Hard.\r |
| 83 | \r |
| 84 | ** Re:Your central git repo ... (Score:4, Informative)\r |
| 85 | (by tlhIngan ( 30335 ))\r |
| 86 | \r |
| 87 | \r |
| 88 | > ... belongs behind ssh or, at least, behind http access and\r |
| 89 | > SSL.\r |
| 90 | > If I catch you doing otherwise for anything other than FOSS\r |
| 91 | > software I'll smack you. Hard.\r |
| 92 | And it probably is. The thing is, the website owners are\r |
| 93 | using git to version control and deploy their website (not a\r |
| 94 | bad idea). So they develop their web site, push it to the\r |
| 95 | central git repo, and whenever they need to go live, they\r |
| 96 | just do a "git pull" on the webserver and it'll pull down the\r |
| 97 | latest version of the website.\r |
| 98 | Problem is, they forget about the hidden .git directory git\r |
| 99 | makes that stores all sorts of useful information and with a\r |
| 100 | little persistence, allow you access to the raw source code\r |
| 101 | since you can access the individual git objects. (Or maybe\r |
| 102 | even clone it using git).\r |
| 103 | \r |
| 104 | ** Re: (Score:2)\r |
| 105 | (by jrumney ( 197329 ))\r |
| 106 | \r |
| 107 | \r |
| 108 | I do this, it is very convenient for deploying updates to\r |
| 109 | the site. But I always put the web interface into a\r |
| 110 | subdirectory, and only configure the web server to see\r |
| 111 | that so the .git directory is not visible over HTTP. And\r |
| 112 | dotfiles and directories are blocked in the webserver\r |
| 113 | config for extra protection against accidental inclusion\r |
| 114 | of invisible files.\r |
| 115 | \r |
| 116 | \r |
| 117 | \r |
| 118 | ** reheating yesterday's food (Score:3)\r |
| 119 | (by Tsolias ( 2813011 ))\r |
| 120 | \r |
| 121 | \r |
| 122 | just an article from 2015 [1]https://en.internetwache.org/d...\r |
| 123 | [internetwache.org]\r |
| 124 | I can give you also next year's article about .file\r |
| 125 | vulnerabilities. (spoiler alert)\r |
| 126 | [2]https://en.internetwache.org/s... [internetwache.org]\r |
| 127 | \r |
| 128 | \r |
| 129 | \r |
| 130 | \r |
| 131 | [1]\r |
| 132 | https://en.internetwache.org/dont-publicly-expose-git-or-how-we-\r |
| 133 | downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-\r |
| 134 | 07-2015/\r |
| 135 | [2]\r |
| 136 | https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-\r |
| 137 | ore-files-12-03-2018/\r |
| 138 | \r |
| 139 | ** \r |
| 140 | \r |
| 141 | ** KKK (Score:2)\r |
| 142 | (by Tsolias ( 2813011 ))\r |
| 143 | \r |
| 144 | \r |
| 145 | > Thats what you get on hiring those bootcamp "graduates"\r |
| 146 | Kode w/ Karlie Kloss, like it or not.\r |
| 147 | \r |
| 148 | \r |
| 149 | ** Alternate headline: 99.8% websites are OK (Score:2)\r |
| 150 | (by jmichaelg ( 148257 ))\r |
| 151 | \r |
| 152 | \r |
| 153 | 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is\r |
| 154 | less than 0.2% of websites surveyed screwed this up.\r |
| 155 | 400k is a big number but it's good to know most developers\r |
| 156 | aren't that stupid on this issue.\r |
| 157 | \r |
| 158 | ** \r |
| 159 | \r |
| 160 | ** Re: yarn dist (Score:2)\r |
| 161 | (by TimMD909 ( 260285 ))\r |
| 162 | \r |
| 163 | \r |
| 164 | ... Equifax types for free security tests from 3rd parties\r |
| 165 | and press coverage, presumably...\r |
| 166 | \r |
| 167 | \r |
| 168 | ** So? (Score:2)\r |
| 169 | (by cshark ( 673578 ))\r |
| 170 | \r |
| 171 | \r |
| 172 | An open git directory will be everything you need to reconstruct\r |
| 173 | the site, more often than not from the same server you're\r |
| 174 | targeting. Scary. Database servers are rarely open. Short of\r |
| 175 | some serious hacking, there isn't a lot you're going to be able\r |
| 176 | to do with this stuff once you've obtained the information\r |
| 177 | you're waving around here.\r |
| 178 | Until such time as I see hackers actually logging in with this\r |
| 179 | information and defacing github, I'm going to remain unconvinced\r |
| 180 | of the severity of this one.\r |
| 181 | \r |
| 182 | ** Re: (Score:2)\r |
| 183 | (by OrangeTide ( 124937 ))\r |
| 184 | \r |
| 185 | \r |
| 186 | My website's .git directories are open intentionally. Makes\r |
| 187 | for convenient mirroring and viewing of archives without\r |
| 188 | having to hope and pray wayback machine picked up my obscure\r |
| 189 | website.\r |
| 190 | I'm not too worried. It's just data on the filesystem, it's\r |
| 191 | not executing programs. And the data is not supposed to\r |
| 192 | contain any secrets. If it ever does then I better rewrite my\r |
| 193 | git history.\r |
| 194 | \r |
| 195 | \r |
| 196 | ** Re: (Score:1)\r |
| 197 | (by Anonymous Coward)\r |
| 198 | \r |
| 199 | \r |
| 200 | The most likely actual security implication is hard coded\r |
| 201 | keys to 3rd party APIs.\r |
| 202 | Not that this is an inevitable threat, itâ(TM)s just\r |
| 203 | something I could see being inadvertently exposed and useful\r |
| 204 | without much additional effort.\r |
| 205 | \r |
| 206 | ** Re: (Score:1)\r |
| 207 | (by Orrin Bloquy ( 898571 ))\r |
| 208 | \r |
| 209 | \r |
| 210 | > itâ(TM)s\r |
| 211 | Clear something up, are you typing curly\r |
| 212 | quotes/apostrophes on purpose or do you have your browser\r |
| 213 | configured to automatically do that.\r |
| 214 | \r |
| 215 | \r |
| 216 | \r |
| 217 | ** Re: (Score:2)\r |
| 218 | (by jonwil ( 467024 ))\r |
| 219 | \r |
| 220 | \r |
| 221 | What about if that .git folder (and the website's source\r |
| 222 | code) included private keys for stuff. Or credentials/API\r |
| 223 | keys for 3rd party services. Or credentials for database and\r |
| 224 | other servers.\r |
| 225 | \r |
| 226 | \r |
| 227 | \r |