FS#168 : Responsible Disclosure Report: Public Exposure of .git/config on security.alwaysdata.com

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by TheeHerbie - 04.05.2025
Last edited by cbay - 04.05.2025

FS#168 - Responsible Disclosure Report: Public Exposure of .git/config on security.alwaysdata.com

Hi Team,

I wish you a great day ahead, Please take time to review this report and let me know if there is anything I can help you with.

Summary:
A publicly accessible .git/config file has been discovered at https://security.alwaysdata.com/.git/config. This exposure may indicate that the entire .git/ directory is accessible, allowing for potential leakage of source code, repository metadata, internal configuration, and potentially sensitive information.

Proof of Concept (PoC):
1. Visit the following URL: https://security.alwaysdata.com/.git/config 2. The server responds with Git configuration details:

[core]

  repositoryformatversion = 0
  filemode = true
  bare = false
  logallrefupdates = true

[remote "origin"]

  url = https://github.com/flyspray/flyspray.git
  fetch = +refs/heads/*:refs/remotes/origin/*

[branch "master"]

  remote = origin
  merge = refs/heads/master

3. Other files likely accessible:

.git/HEAD

.git/index

.git/logs/HEAD

.git/objects/ (may allow full repo reconstruction)

4. I was able to access the following links :
https://security.alwaysdata.com/.git/config https://security.alwaysdata.com/.git/logs/HEAD https://security.alwaysdata.com/.git/refs/heads/master

Security Impact:
1. Exposed .git/ directories can be exploited to:
2. Download the entire source code via tools like git-dumper or DVCS-Pillage.
3. Identify internal logic, vulnerabilities, or credentials.
4. Facilitate targeted exploitation by analyzing application internals.
5. This is a well-known vulnerability class and has been featured in multiple security advisories (e.g., NCSC CH advisory).

Recommendation:

Immediately restrict public access to the .git/ directory using server configuration (e.g., .htaccess, nginx rules).

Audit the repository history for any sensitive data accidentally committed.

Monitor for any suspicious activity or exploitation attempts.

Disclosure Policy:
This report is submitted in good faith under your published Bug Bounty Program. Please let me know if additional details or testing are needed. I will not disclose this issue publicly without your explicit permission.

Thank you for your attention to this issue.

Best regards,
TheeHerbie

Closed by cbay
04.05.2025 09:34
Reason for closing: Duplicate
Additional comments about closing:

https://security.alwaysda ta.com/task/84

Comments (0)
Related Tasks (0/0)

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task