Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by niss - 20.06.2026
Last edited by cbay - 20.06.2026

FS#344 - Exposed .git directory on security.alwaysdata.com leaks full source repository, deployed commit and

Title: Exposed .git directory on security.alwaysdata.com leaks full source repository, deployed commit and internal staff email
Severity: Medium
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Endpoint: https://security.alwaysdata.com/.git/

Summary


The Flyspray bug-tracker deployment served at security.alwaysdata.com exposes its version-control directory at /.git/ over HTTP. The web server returns the raw Git metadata (config, HEAD, the packed index, refs and reflog) instead of denying access to the dotfile directory. Anyone can download the complete repository, reconstruct the exact deployed source tree, read the pinned upstream commit hash for precise version fingerprinting, and recover internal information committed into the repository metadata (the deploying staff member's name and corporate email). Root cause: the document root is the working copy of the Git clone and the server has no rule blocking the .git/ path.

Steps to Reproduce


1. Request the repository config file. It returns the real Git configuration, revealing the directory is a live working clone and naming the upstream project:

  curl -s https://security.alwaysdata.com/.git/config
 Response excerpt:
  [core]
  	repositoryformatversion = 0
  	filemode = true
  	bare = false
  	logallrefupdates = true
  [remote "origin"]
  	fetch = +refs/heads/*:refs/remotes/origin/*
  [branch "master"]
  	remote = origin
  	merge = refs/heads/master

2. Request HEAD and the branch ref to obtain the exact deployed commit hash (precise version fingerprint):

  curl -s https://security.alwaysdata.com/.git/HEAD
  curl -s https://security.alwaysdata.com/.git/refs/heads/master
 Response:
  ref: refs/heads/master
  58bea729f4359a45f69aaba274bb2a931155b427

3. Request the reflog, which discloses the internal staff identity and the deployment timestamp committed into the repository:

  curl -s https://security.alwaysdata.com/.git/logs/HEAD
 Response:
  0000000000000000000000000000000000000000 58bea729f4359a45f69aaba274bb2a931155b427 Cyril Bay <cbay@alwaysdata.com> 1704809861 +0100	clone: from https://github.com/flyspray/flyspray.git

4. Request the Git index to confirm the full tracked file tree is downloadable (102 KB binary index listing every source file in the deployment):

  curl -s -o git_index https://security.alwaysdata.com/.git/index ; wc -c git_index ; strings git_index | head
 Response excerpt:
  102282 git_index
  docs/INSTALL.txt
  includes/password_compat.php
  js/ckeditor/build-config.js
  js/ckeditor/config.js
 Note: from a normal client IP these requests return HTTP 200 with the content shown above. The site's edge firewall blocks IPs it has already flagged for scanning, but a first-time visitor (ordinary browser, fresh IP) reaches /.git/ without challenge, so the exposure is reachable by any attacker.

Impact


The complete .git directory is downloadable by an unauthenticated remote attacker, which allows them to:
- Reconstruct the entire deployed source tree of the security tracker (all PHP, JS and template files) by fetching the index and pack/loose objects.
- Identify the exact deployed commit (58bea729f4359a45f69aaba274bb2a931155b427, cloned 2024-01-09) and therefore the precise Flyspray version, enabling the attacker to map the running code against known Flyspray vulnerabilities (SQL injection, stored XSS and authentication-related CVEs have historically affected Flyspray) and craft targeted exploits with no guesswork. Flyspray's own config secrets (flyspray.conf.php) are not tracked in this repository, but the exact-version disclosure removes the attacker's need to fingerprint and directly aids exploitation of the live tracker.
- Recover internal information embedded in repository metadata, including a developer's full name and corporate email address (cbay@alwaysdata.com), usable for targeted phishing or credential-stuffing against staff.

Remediation


Deny all HTTP access to the .git/ directory at the web-server/proxy layer (for example, return 404 for any path containing /.git in nginx). Better still, do not deploy from a working Git clone: export the application without the .git directory (git archive or a build artifact) so version-control metadata never sits under the document root. Rotate any credentials or tokens that may have appeared in repository history, and review the reflog/objects for any sensitive data committed historically.

Closed by  cbay
20.06.2026 10:17
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/337

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing