- Status Closed
-
Assigned To
cbay - Private
Opened by niss - 20.06.2026
Last edited by cbay - 20.06.2026
FS#344 - Exposed .git directory on security.alwaysdata.com leaks full source repository, deployed commit and
Title: Exposed .git directory on security.alwaysdata.com leaks full source repository, deployed commit and internal staff email
Severity: Medium
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Endpoint: https://security.alwaysdata.com/.git/
Summary
The Flyspray bug-tracker deployment served at security.alwaysdata.com exposes its version-control directory at /.git/ over HTTP. The web server returns the raw Git metadata (config, HEAD, the packed index, refs and reflog) instead of denying access to the dotfile directory. Anyone can download the complete repository, reconstruct the exact deployed source tree, read the pinned upstream commit hash for precise version fingerprinting, and recover internal information committed into the repository metadata (the deploying staff member's name and corporate email). Root cause: the document root is the working copy of the Git clone and the server has no rule blocking the .git/ path.
Steps to Reproduce
1. Request the repository config file. It returns the real Git configuration, revealing the directory is a live working clone and naming the upstream project:
curl -s https://security.alwaysdata.com/.git/config
Response excerpt:
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master
2. Request HEAD and the branch ref to obtain the exact deployed commit hash (precise version fingerprint):
curl -s https://security.alwaysdata.com/.git/HEAD curl -s https://security.alwaysdata.com/.git/refs/heads/master
Response:
ref: refs/heads/master 58bea729f4359a45f69aaba274bb2a931155b427
3. Request the reflog, which discloses the internal staff identity and the deployment timestamp committed into the repository:
curl -s https://security.alwaysdata.com/.git/logs/HEAD
Response:
0000000000000000000000000000000000000000 58bea729f4359a45f69aaba274bb2a931155b427 Cyril Bay <cbay@alwaysdata.com> 1704809861 +0100 clone: from https://github.com/flyspray/flyspray.git
4. Request the Git index to confirm the full tracked file tree is downloadable (102 KB binary index listing every source file in the deployment):
curl -s -o git_index https://security.alwaysdata.com/.git/index ; wc -c git_index ; strings git_index | head
Response excerpt:
102282 git_index docs/INSTALL.txt includes/password_compat.php js/ckeditor/build-config.js js/ckeditor/config.js
Note: from a normal client IP these requests return HTTP 200 with the content shown above. The site's edge firewall blocks IPs it has already flagged for scanning, but a first-time visitor (ordinary browser, fresh IP) reaches /.git/ without challenge, so the exposure is reachable by any attacker.
Impact
The complete .git directory is downloadable by an unauthenticated remote attacker, which allows them to:
- Reconstruct the entire deployed source tree of the security tracker (all PHP, JS and template files) by fetching the index and pack/loose objects.
- Identify the exact deployed commit (58bea729f4359a45f69aaba274bb2a931155b427, cloned 2024-01-09) and therefore the precise Flyspray version, enabling the attacker to map the running code against known Flyspray vulnerabilities (SQL injection, stored XSS and authentication-related CVEs have historically affected Flyspray) and craft targeted exploits with no guesswork. Flyspray's own config secrets (flyspray.conf.php) are not tracked in this repository, but the exact-version disclosure removes the attacker's need to fingerprint and directly aids exploitation of the live tracker.
- Recover internal information embedded in repository metadata, including a developer's full name and corporate email address (cbay@alwaysdata.com), usable for targeted phishing or credential-stuffing against staff.
Remediation
Deny all HTTP access to the .git/ directory at the web-server/proxy layer (for example, return 404 for any path containing /.git in nginx). Better still, do not deploy from a working Git clone: export the application without the .git directory (git archive or a build artifact) so version-control metadata never sits under the document root. Rotate any credentials or tokens that may have appeared in repository history, and review the reflog/objects for any sensitive data committed historically.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task