Slashdot Mirror

← Back to Stories (view on slashdot.org)

400,000 Websites Vulnerable Through Exposed .git Directories (scmagazine.com)

Posted by msmash on from the security-woes dept.

Open .git directories are a bigger cybersecurity problem than many might imagine, at least according to a Czech security researcher who discovered almost 400,000 web pages with an open .git directory possibly exposing a wide variety of data. From a report: Vladimir Smitka began his .git directory odyssey in July when he began looking at Czech websites to find how many were improperly configured and allow access to their .git folders within the file versions repository. Open .git directories are a particularly dangerous issue, he said, because they can contain a great deal of sensitive information. "Information about the website's structure, and sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on. However, this data shouldn't be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices," Smitka wrote. Smitka queried 230 million websites to discover the 390,000 allowing access to their .git directories. The vast majority of the websites with open directories had a .com TLD with .net, .de, .org and uk comprising most of the others.

3 of 35 comments (clear)

  1. Re:.htaccess by MidSpeck · · Score: 2, Informative

    ^/.*/\.git/
    Protect git repositories in all subdirectories as well.

  2. Re:Your central git repo ... by tlhIngan · · Score: 3, Informative

    ... belongs behind ssh or, at least, behind http access and SSL.
    If I catch you doing otherwise for anything other than FOSS software I'll smack you. Hard.

    And it probably is. The thing is, the website owners are using git to version control and deploy their website (not a bad idea). So they develop their web site, push it to the central git repo, and whenever they need to go live, they just do a "git pull" on the webserver and it'll pull down the latest version of the website.

    Problem is, they forget about the hidden .git directory git makes that stores all sorts of useful information and with a little persistence, allow you access to the raw source code since you can access the individual git objects. (Or maybe even clone it using git).

  3. Re:https://slashdot.org/.git by ls671 · · Score: 3, Informative

    Slashdot is still using CVS try https://slashdot.org/CVS/

    you will see, it works! :)

    --
    Everything I write is lies, read between the lines.