It’s a bad idea to expose your GIT directory, but why? What are the consequences? And how can you prevent this?
Let’s start with prevention
It’s pretty easy to prevent this, just make sure your GIT directory is not in your virtualhost. For example with Laravel; there is a “/public” directory where you should point your virtualhost to, so with Laravel you’re not “vulnerable”. When you’re using WordPress you could use Bedrock and in general for everything else or if Bedrock isn’t an option; block it with your webserver! In case of Magento you can test if your GIT directory is accessible with Magereport.
Apache configuration or .htaccess file
RedirectMatch 404 /\.git
nginx configuration
location ~ /.git/ {
deny all;
}
The possibilities
When the GIT directory is accessible you can read the GIT configuration file pretty easily, just put “/.git/config” after a websites url. Cool, we can see the remotes and stuff but what else can we do? We can download the whole repository!
Downloading a public facing GIT repository
On Github there is a tool called DVCS Ripper which includes a script to rip GIT repo’s. Download the “rip-git.pl” file and run it:
./rip-git.pl -s -v -u http://www.example.com/.git/
Regarding the size of the repository it could take some time, if there is only code in the repo it’s probably done within a few minutes but in other cases where for example all product images (which is a bad idea btw) are stored in the repo it can take hours. The longest I’ve waited is about 4 hours with a repo of multiple gigabytes.
What next? What’s so dangerous?
Is it not dangerous enough that somebody can download your complete sources? They can setup a copy of your website, search for bugs in your code and exploit them or in case the developer was really stupid there is a configuration file in the repo with database passwords! I’m not joking, I’ve experienced this with multiple websites and even big webshops! To make it even better (or worser?) some sites had a PhpMyAdmin installation running at “/phpmyadmin”. The possibilities are endless from that point. Some things I could do:
- Deface the website and put Gandalf Sax on it
- Create a administrator account to access the backend
- Change some payment provider credentials so all payments go to my bankaccount
- Dump the database and sell it with the sources to a competitor or on the black market
- Leak usernames and passwords
How to find public GIT repo’s?
As mentioned before just try “/.git/config” after the url, but also Google can help you with this. Just search this on Google:
.git intitle:"Index of"
And you’re going to find a lot of websites, but all of them do have directory listing enabled in their webserver (so you can browse through folders without a index html or php file). Google doesn’t index for example the /.git/config file directly so there are a lot more websites with this problem!
What big websites do have this problem?
I’ve created a simple script to loop through the top 1 million websites of the Alexa ranking, you can find this script in a Github Gist. After running this script multiple hours and scanning the top 10.000 websites I’ve found 73 public facing GIT repo’s. Some of them aren’t dangerous because it’s a open-source website like the website of AngularJS which is on that list, but most of them are not intended to be public. I’m not going to put some names here until it’s fixed and the owner of the website agree to publish the name here but I came across sites like:
- Webshops
- News sites
- File sharing sites
- Cloud providers
- Online advertising companies
- Online video streaming sites
- Stock image sites
- Proxy providers
And to emphasize again, those are in the top 10.000 websites of the world! Later I came across this website, they’ve crawled the whole 1 million Alexa list and created some fancy charts from it.
Conclusion
DON’T PUBLICLY EXPOSE YOUR GIT DIRECTORY! Or any other version control system like HG, Bazaar, SVN, CVS, etc.
Updates
I’ve contacted some companies with a publicly exposed git directory and here are the results:
- translated.net: after downloading the source code I also found a XSS vulnerability. Meanwhile everything is fixed in co-operation with the company.
- the-watch-series.to: I’ve downloaded the sources but didn’t find the time to inspect it, after contacting the support team the issue is fixed and the code is removed.
![[EN] Creating your own WordPress import](https://royduineveld.nl/wp-content/uploads/2016/05/wordpress-import.jpg)