Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by roxy - 22.02.2024
Last edited by cbay - 22.02.2024

FS#35 - Git Folder Forbidden Bypass

Hi,
During google search I have found an Open sensitive git directory.
Git metadata directory (.git) was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of development changes to a set of source code before it is committed back to a central repository (and vice-versa). When code is rolled to a live server from a repository, it is supposed to be done as an export rather than as a local working copy, and hence this problem.
Vulnerable URL:-
https://upload.alwaysdata.com/.git/ (403 forbidden)
bypass
https://upload.alwaysdata.com/.git/config https://upload.alwaysdata.com/.git/logs/HEAD

https://security.alwaysdata.com/.git/ (403 forbidden)
bypass
https://security.alwaysdata.com/.git/config https://security.alwaysdata.com/.git/logs/HEAD

These files may expose sensitive information that may help a malicious user to prepare more advanced attacks.
Remove these files from production systems or restrict access to the .git directory. To deny access to all the .git folders you need to add the following lines in the appropriate context (either global config, or vhost/directory, or from .htaccess)
Thanks

Closed by  cbay
22.02.2024 16:34
Reason for closing:  Invalid
Admin
cbay commented on 22.02.2024 15:07

Hello,

As you can see in the Git config file, that repository is simply a mirror of the public Jirafeau repository on GitHub.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing