Page MenuHomePhabricator

Alert group: Git repository found
Closed, InvalidPublic

Description

/w
Alert group Git repository found
Severity High
Description
Git metadata directory (.git) was found in this folder. An attacker can extract sensitive information by
requesting the hidden metadata directory that version control tool Git creates. The metadata directories
are used for development purposes to keep track of development changes to a set of source code
before it is committed back to a central repository (and vice-versa). When code is rolled to a live
server from a repository, it is supposed to be done as an export rather than as a local working copy,
and hence this problem.
Recommendations
Remove these files from production systems or restrict access to the .git directory. To deny access to
all the .git folders you need to add the following lines in the appropriate context (either global config, or
vhost/directory, or from .htaccess):
<Directory ~ "\.git">
Order allow,deny
Deny from all
</Directory>
Alert variants
Details
Git files found at : /w/.git/config
Repository files/directories:
.editorconfig
.eslintrc.json
.fresnel.yml
.gitattributes
.gitignore
.gitmodules
.gitreview
.mailmap
.phan/config.php
.phan/internal_stubs/memcached.phan_php
...
GET /w/.git/config HTTP/1.1
Connection: keep-alive
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2019, 12:40 PM
revi added a subscriber: revi.Nov 12 2019, 12:56 PM
from the removed task description

Host: wikicod.ir

Doesn't sound like Wikimedia production bug?

Reedy closed this task as Invalid.Nov 12 2019, 3:17 PM
sbassett triaged this task as Lowest priority.Nov 12 2019, 4:13 PM
sbassett moved this task from Backlog / Other to Done on the Security board.
sbassett added a subscriber: sbassett.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 12 2019, 4:13 PM