alwaysdata All Projects: Tasklist

ID	Status	Summary	Opened by
~~280~~	Closed	~~Vulnerability report~~	Devansh811	Task Description Hello Security Team, I would like to responsibly disclose a security issue identified on your website. Affected URL: https://security.alwaysdata.com/.git/config It appears that the .git directory is publicly accessible. This allows unauthenticated users to retrieve Git configuration files, indicating an exposed Git repository on the web server. Issue Overview: Public access to the .git directory exposes Git metadata such as repository configuration and structure. In some scenarios, this may allow an attacker to reconstruct the entire source repository and discover sensitive information (e.g., internal paths, credentials, remote URLs, or configuration history). Impact: An exposed .git directory may allow an attacker to: Access the source code or intellectual property of the application Discover internal file paths, branches, and historical changes Potentially identify sensitive data such as keys or credentials if present Facilitate additional targeted attacks or exploit development Severity: High Suggested Remediation: Block public access to the .git directory using server configuration (e.g., web server rules) Remove the .git directory from the web root in production environments Confirm that only necessary files are deployed in public‑facing assets This disclosure is submitted in good faith and does not involve destructive testing. Please let me know if you need any further information. Kind regards, Devansh Chauhan Security Researcher LinkedIn: https://www.linkedin.com/in/devansh-chauhan-b36b6a1b1/
18	Closed	~~.git file exposed~~	Devansh811	Task Description Hello support teams, I hope this email finds you well. I am Devansh.I am a security researcher and I am writing to bring to your attention a security vulnerability that I have discovered on your website. Report of bug is as follows: Vulnerability name: .git file exposed Website : https://security.alwaysdata.com/.git/config Overview of the Vulnerability The danger occurs when the application leaves the “. git” directory, which is in the system root, exposed. By carelessness, an application that uses Git for versioning can expose the “. git” directory. Steps to Reproduce 1. open this website in the browser https://cdn.anscommerce.com/.git/config 2. you can see the git file is open 3 .by the dotgit extension you can download the git file It can be exploited more but may cause harm to your website Impact of the vulnerability git folder is required to log every commit history and every other information required for your remote repository, version control, commits etc. These things are saved in different folders which have different meanings. Once the folder is created, open it and see the References : https://medium.com/stolabs/git-exposed-how-to-identify-and-exploit-62df3c165c37 https://www.acunetix.com/vulnerabilities/web/git-detected/ Please consider this as an urgent matter and prioritize the resolution of this vulnerability . if you require any additional information or assistance. Do let me know Thank you for your attention to this matter, and I look forward to hearing from you soon. Regards Devansh
17	Closed	~~Lack of password confirmation on account deletion~~	Devansh811	Task Description Hello support teams, I hope this email finds you well. I am Devansh . I am a security researcher and I found a vulnerability in your website. bug name : Lack of password confirmation on account deletion Description: the user account can be deleted without confirming user password or re authentication. The removal of an account is one of the sensitive parts of any application that needs to be protected, therefore removing an account should validate the authenticity of the legitimate user. steps to reproduce: 1. Go to account settings and click on delete account. 2. There will be a next page where I click on delete my account now option. 3. You will see the message of account has been deleted and get logged out Remediation: System must confirm authentic user before performing such task. A link can be sent to the user email id that can be used for delete operation. Otherwise user password should be provided to the application to confirm the entity identity. It seems to be of very low impact,but consider a situation when a user forgets to logout from his account or someone gets access to his phone and deletes the account. This situation is more severe than account takeover as there is no way to get an account again. All the save information and data including previous record, card information etc can be deleted. video poc is attached Thanks and regards Devansh https://

~~280~~

Closed

~~Vulnerability report~~

Task Description

Hello Security Team,

I would like to responsibly disclose a security issue identified on your website.

Affected URL:
https://security.alwaysdata.com/.git/config

It appears that the .git directory is publicly accessible. This allows unauthenticated users to retrieve Git configuration files, indicating an exposed Git repository on the web server.

Issue Overview:
Public access to the .git directory exposes Git metadata such as repository configuration and structure. In some scenarios, this may allow an attacker to reconstruct the entire source repository and discover sensitive information (e.g., internal paths, credentials, remote URLs, or configuration history).

Impact:
An exposed .git directory may allow an attacker to:

Access the source code or intellectual property of the application

Discover internal file paths, branches, and historical changes

Potentially identify sensitive data such as keys or credentials if present

Facilitate additional targeted attacks or exploit development

Severity:
High

Suggested Remediation:

Block public access to the .git directory using server configuration (e.g., web server rules)

Remove the .git directory from the web root in production environments

Confirm that only necessary files are deployed in public‑facing assets

This disclosure is submitted in good faith and does not involve destructive testing.

Please let me know if you need any further information.

Kind regards,
Devansh Chauhan
Security Researcher
LinkedIn: https://www.linkedin.com/in/devansh-chauhan-b36b6a1b1/

Closed

~~.git file exposed~~

Devansh811

Task Description

Hello support teams,

I hope this email finds you well. I am Devansh.I am a security researcher and I am writing to bring to your attention a security vulnerability that I have discovered on your website.

Report of bug is as follows:

Vulnerability name: .git file exposed

Website : https://security.alwaysdata.com/.git/config

Overview of the Vulnerability

The danger occurs when the application leaves the “. git” directory, which is in the system root, exposed. By carelessness, an application that uses Git for versioning can expose the “. git” directory.

Steps to Reproduce

1. open this website in the browser https://cdn.anscommerce.com/.git/config

2. you can see the git file is open

3 .by the dotgit extension you can download the git file

It can be exploited more but may cause harm to your website

Impact of the vulnerability

git folder is required to log every commit history and every other information required for your remote repository, version control, commits etc. These things are saved in different folders which have different meanings. Once the folder is created, open it and see the

References :

https://medium.com/stolabs/git-exposed-how-to-identify-and-exploit-62df3c165c37

https://www.acunetix.com/vulnerabilities/web/git-detected/

Please consider this as an urgent matter and prioritize the resolution of this vulnerability . if you require any additional information or assistance. Do let me know

Thank you for your attention to this matter, and I look forward to hearing from you soon.

Regards
Devansh

Closed

~~Lack of password confirmation on account deletion~~

Devansh811

Task Description

Hello support teams,
I hope this email finds you well. I am Devansh . I am a security researcher and I found a vulnerability in your website.

bug name : Lack of password confirmation on account deletion

Description: the user account can be deleted without confirming user password or re authentication.
The removal of an account is one of the sensitive parts of any application that needs to be protected, therefore removing an account should validate the authenticity of the legitimate user.

steps to reproduce:

1. Go to account settings and click on delete account.

2. There will be a next page where I click on delete my account now option.

3. You will see the message of account has been deleted and get logged out

Remediation:
System must confirm authentic user before performing such task. A link can be sent to the user email id that can be used for delete operation. Otherwise user password should be provided to the application to confirm the entity identity.

It seems to be of very low impact,but consider a situation when a user forgets to logout from his account or someone gets access to his phone and deletes the account. This situation is more severe than account takeover as there is no way to get an account again. All the save information and data including previous record, card information etc can be deleted.

video poc is attached

Thanks and regards
Devansh

https://

Showing tasks 1 - 3 of 3 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing