1 400,000 WEBSITES VULNERABLE THROUGH EXPOSED .GIT DIRECTORIES
4 Thursday September 06, 2018 @11:30PM (msmash)
5 from the security-woes dept.
7 o Reference: 0102639752
8 o News link: https://tech.slashdot.org/story/18/09/06/1954253/400000-websites-vulnerable-through-exposed-git-directories
9 o Source link: https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/
12 Open .git directories are a bigger cybersecurity problem than
13 many might imagine, at least according to a Czech security
14 researcher who [1]discovered almost 400,000 web pages with an
15 open .git directory possibly exposing a wide variety of data.
18 > Vladimir Smitka began his .git directory odyssey in July
19 when he began looking at Czech websites to find how many were
20 improperly configured and allow access to their .git folders
21 within the file versions repository. Open .git directories are
22 a particularly dangerous issue, he said, because they can
23 contain a great deal of sensitive information. "Information
24 about the website's structure, and sometimes you can get very
25 sensitive data such as database passwords, API keys,
26 development IDE settings, and so on. However, this data
27 shouldn't be stored in the repository, but in previous scans
28 of various security issues, I have found many developers that
29 do not follow these best practices," Smitka wrote. Smitka
30 queried 230 million websites to discover the 390,000 allowing
31 access to their .git directories. The vast majority of the
32 websites with open directories had a .com TLD with .net, .de,
33 .org and uk comprising most of the others.
37 [1] https://www.scmagazine.com/home/news/400000-websites-vulne-
38 rable-through-exposed-git-directories/
43 ** Re: (Score:2, Informative)
44 (by MidSpeck ( 1516577 ))
48 Protect git repositories in all subdirectories as well.
52 (by jrumney ( 197329 ))
55 Why stop there? Are there any dot files/directories that need
56 to be served over HTTP?
59 ** Re: .htaccess (Score:3)
60 (by spongman ( 182339 ))
63 Why doesn't Apache block all '.'-prefixed directories by
69 ** Re:https://slashdot.org/.git (Score:4, Informative)
70 (by ls671 ( 1122017 ))
73 Slashdot is still using CVS try [1]https://slashdot.org/CVS/
75 you will see, it works! :)
80 [1] https://slashdot.org/CVS/
83 ** Your central git repo ... (Score:1)
84 (by Qbertino ( 265505 ))
87 ... belongs behind ssh or, at least, behind http access and SSL.
88 If I catch you doing otherwise for anything other than FOSS
89 software I'll smack you. Hard.
91 ** Re:Your central git repo ... (Score:4, Informative)
92 (by tlhIngan ( 30335 ))
95 > ... belongs behind ssh or, at least, behind http access and
97 > If I catch you doing otherwise for anything other than FOSS
98 > software I'll smack you. Hard.
99 And it probably is. The thing is, the website owners are
100 using git to version control and deploy their website (not a
101 bad idea). So they develop their web site, push it to the
102 central git repo, and whenever they need to go live, they
103 just do a "git pull" on the webserver and it'll pull down the
104 latest version of the website.
105 Problem is, they forget about the hidden .git directory git
106 makes that stores all sorts of useful information and with a
107 little persistence, allow you access to the raw source code
108 since you can access the individual git objects. (Or maybe
109 even clone it using git).
112 (by jrumney ( 197329 ))
115 I do this, it is very convenient for deploying updates to
116 the site. But I always put the web interface into a
117 subdirectory, and only configure the web server to see
118 that so the .git directory is not visible over HTTP. And
119 dotfiles and directories are blocked in the webserver
120 config for extra protection against accidental inclusion
125 ** reheating yesterday's food (Score:3)
126 (by Tsolias ( 2813011 ))
129 just an article from 2015 [1]https://en.internetwache.org/d...
131 I can give you also next year's article about .file
132 vulnerabilities. (spoiler alert)
133 [2]https://en.internetwache.org/s... [internetwache.org]
139 https://en.internetwache.org/dont-publicly-expose-git-or-how-we-
140 downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-
143 https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-st-
144 ore-files-12-03-2018/
149 (by Tsolias ( 2813011 ))
152 > Thats what you get on hiring those bootcamp "graduates"
153 Kode w/ Karlie Kloss, like it or not.
156 ** Alternate headline: 99.8% websites are OK (Score:2)
157 (by jmichaelg ( 148257 ))
160 230 million websites. 400k poorly configured. 4*10^5/2.3*10^8 is
161 less than 0.2% of websites surveyed screwed this up.
162 400k is a big number but it's good to know most developers
163 aren't that stupid on this issue.
167 ** Re: yarn dist (Score:2)
168 (by TimMD909 ( 260285 ))
171 ... Equifax types for free security tests from 3rd parties
172 and press coverage, presumably...
176 (by cshark ( 673578 ))
179 An open git directory will be everything you need to reconstruct
180 the site, more often than not from the same server you're
181 targeting. Scary. Database servers are rarely open. Short of
182 some serious hacking, there isn't a lot you're going to be able
183 to do with this stuff once you've obtained the information
184 you're waving around here.
185 Until such time as I see hackers actually logging in with this
186 information and defacing github, I'm going to remain unconvinced
187 of the severity of this one.
190 (by OrangeTide ( 124937 ))
193 My website's .git directories are open intentionally. Makes
194 for convenient mirroring and viewing of archives without
195 having to hope and pray wayback machine picked up my obscure
197 I'm not too worried. It's just data on the filesystem, it's
198 not executing programs. And the data is not supposed to
199 contain any secrets. If it ever does then I better rewrite my
204 (by Anonymous Coward)
207 The most likely actual security implication is hard coded
208 keys to 3rd party APIs.
209 Not that this is an inevitable threat, itâ(TM)s just
210 something I could see being inadvertently exposed and useful
211 without much additional effort.
214 (by Orrin Bloquy ( 898571 ))
218 Clear something up, are you typing curly
219 quotes/apostrophes on purpose or do you have your browser
220 configured to automatically do that.
225 (by jonwil ( 467024 ))
228 What about if that .git folder (and the website's source
229 code) included private keys for stuff. Or credentials/API
230 keys for 3rd party services. Or credentials for database and