Security vulnerabilities

https://security.alwaysdata.com/.git/config

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = https://github.com/flyspray/flyspray.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master

https://security.alwaysdata.com/.gitignore

flyspray.conf.php
img/veloz.png
attachments/*
/.idea/
/nbproject/*
vendor/*
composer.lock
composer.phar
/_site/
.htaccess
*.PHPEditProject
/avatars/*
/lang/*.php.bak
/lang/*.php.safe
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json

https://security.alwaysdata.com/.git/logs/HEAD

0000000000000000000000000000000000000000 58bea729f4359a45f69aaba274bb2a931155b427 Cyril Baÿ 1704809861 +0100    clone: from https://github.com/flyspray/flyspray.git

.gitignore
.travis.yml
LICENSE
README.md
SECURITY.md
includes/.htaccess
cache/index.html
fonts/index.html
caddy.dist
composer.json
...
...
themes/CleanFS/templates/reports.tpl
themes/CleanFS/templates/roadmap.text.tpl
themes/CleanFS/templates/roadmap.tpl
themes/CleanFS/templates/shortcuts.tpl
themes/CleanFS/templates/toplevel.tpl
themes/CleanFS/theme.css
themes/CleanFS/theme_print.css
themes/CleanFS/typography.css
themes/CleanFS/up.png
vendor/.htaccess

Conclusion

• Git index allows accessing the files list and source code through .git/objects/
• You can see the top of the list of files above
• I haven't accessed those files' content because it's not necessary for the report according to the Responsible * Disclosure policy.
• My assumption is that some of those files contain sensitive information, which can be used to escalate vulnerability.

Resolving suggestions

1. Remove access to the .git folder from the web, e.g. in webserver config or using .htaccess file
2. Review repository content considering all data compromised because it has been available in public for a while.