All Projects

Description:
An exposed .git folder has been discovered on the website https://security.alwaysdata.com, which allows unauthorized access to sensitive files related to the site's source code repository. This could potentially lead to the leakage of sensitive information, such as configuration settings and code, which can facilitate further attacks.

URL:
https://security.alwaysdata.com/.git/config

Details:
By accessing the .git folder, the following sensitive files were found to be publicly accessible:

.git/config
.git/index
.git/packed-refs
.git/info/exclude
.git/logs/HEAD
And many more.

Example of Sensitive Information Exposed:

[core]

  repositoryformatversion = 0
  filemode = true
  bare = false
  logallrefupdates = true

[remote "origin"]

  url = https://github.com/flyspray/flyspray.git
  fetch = +refs/heads/*:refs/remotes/origin/*

[branch "master"]

  remote = origin
  merge = refs/heads/master

Using a tool such as GitDump, the entire .git directory was successfully dumped, providing full access to the contents of the repository. This may lead to further exploitation by attackers.

Exposed URLs:
https://security.alwaysdata.com/.git/index https://security.alwaysdata.com/.git/packed-refs https://security.alwaysdata.com/.git/info/exclude https://security.alwaysdata.com/.git/logs/HEAD

Impact:
Unauthorized Access to Source Code: Attackers can gain access to the complete source code, potentially uncovering proprietary algorithms, logic, and confidential information that could be misused for malicious purposes, including code analysis or redistribution.
Sensitive Information Disclosure: The .git/config file and other repository metadata may contain sensitive information, such as database credentials, API keys, or other secrets, which could allow attackers to gain unauthorized access to critical components of the infrastructure.
Potential for Further Exploitation: With access to the source code and potentially sensitive configuration details, attackers may be able to exploit additional vulnerabilities or gain deeper access to the system.

Remediation:
Remove these files from production systems or restrict access to the .git directory. To deny access to all the .git folders you need to add the following lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):

<Directory ~ ".git">
Order allow,deny
Deny from all
</Directory>

If further information is required, please let me know.

Thanks.

Summary:
The application at https://admin.alwaysdata.com allows users to set their old password as the new password when resetting their password via the "Forgot Password" link. This weakens the security of the platform by not enforcing password uniqueness, which is crucial for maintaining account security, especially after a password reset.

Description:
When a user resets their password via the "Forgot Password" link, the application allows them to reuse their old password as the new password. This behavior reduces the effectiveness of the password reset process, which is meant to provide users with fresh, secure credentials. If the old password was compromised, allowing the user to reset it back to the same password negates the entire purpose of the password reset feature.

Steps to Reproduce:
1.Go to the login page of https://admin.alwaysdata.com and click on Forgot Password.
2.Enter your registered email address and request a password reset link.
3.Use the received password reset link to reset your password.
4.Enter your current/old password as the "New Password" in the password reset form.
5.Confirm the password reset.
6.Notice that the application allows the old password to be reused without any restrictions.

Impact:
Weakens Account Security: Reusing the old password negates the purpose of a password reset, especially if the old password was compromised. This significantly increases the risk of account compromise.
Non-Compliance with Best Practices: Regulatory and security guidelines, such as OWASP and NIST password standards, require that new passwords must differ from previous ones to enhance security.

Recommendation:
Enforce Password History: Track the user’s password history (e.g., the last 5 passwords) and ensure that the newly set password during a reset is not one of the previously used passwords.

A vulnerability was identified on the alwaysdata account password reset feature that allows previously generated password reset links to remain functional even after a new reset link has been requested. This flaw can potentially allow unauthorized users to exploit old links and reset passwords, even when a user has already generated a new password reset link.

Steps to Reproduce:
1.Go to the password reset page: https://admin.alwaysdata.com/password/lost/ 2.Request a password reset link by entering your email at 10:00 AM.
3.Copy and save the password reset link received in the email (without using it).
4.At 10:05 AM, request a new password reset link by entering the same email.
5.Use the most recent password reset link received at 10:05 AM to reset your password.
6.Now, attempt to use the first password reset link received at 10:00 AM to reset the password again.
7.Observe that the first password reset link (from 10:00 AM) is still valid and allows you to reset the password, even though a new link was generated at 10:05 AM.

Impact
This vulnerability enables an attacker or malicious user to exploit old, still-active password reset links, even after a new reset link has been generated. This could potentially lead to account compromise and unauthorized access, posing a significant security risk to user accounts.

Recommendation:
Invalidate Old Password Reset Links: Ensure that when a new password reset link is generated, all previously issued links are immediately invalidated.
Token Management: Implement a more secure token management system where each password reset token is tracked, and all previous tokens are invalidated once a new token is generated. Only the latest reset token should be valid at any given time.