Website misconfiguraton!

Peter K. rxroawnhbcek at yandex.com
Tue Feb 5 22:04:20 GMT 2019


Hi,

My name is Peter and I'm a security researcher/white hat/ethical hacker from Hungary.
I detected a security problem on your website.
Details of the Vulnerability:
The problem is you have a publicly available git repository on your website. You can check it by visiting https://community.kde.org/.git/HEAD.
When you visit the directory https://community.kde.org/.git you usually get 403 error because there is no index.html/.php file and you don’t allow to show the directory listing/autoindex (if you can see the directory structure you have a misconfigured webserver – it is another type of vulnerability).
Despite 403 it is possible to access the files directly:

https://community.kde.org/.git/logs/HEAD – it is the list of commits with details about commiteers.
The structure of git repository is well known, so it is possible to found references to the objects/packs in the repository, download them via direct requests and reconstruct the repository and obtain your files – not only the current ones, but also the past files.
It is a bad idea to store DB credentials and various API tokens in the repository, but many developers don’t follow the best practices and the vulnerability is really serious in this case.
It is not always possible to download the complete repo, but there are many other interesting information still, e.g. https://community.kde.org/.git/index – it is a binary file and it reveals the structure of your application, libs used, endpoints, inernal files etc.
Sometimes you can find the address of unsecured WYSIWYG editors with the file uploader – unfortunatelly it is really common.

! Some case from the exposed .git folder, the attacker recoverable the website source files, config files, tokens, keys or backups !
FYI!
Readable file with sensitive credentials!
/.travis.yml
---
- if [ "$dbtype" = postgres ]; then psql -c "CREATE DATABASE traviswiki WITH OWNER travis;" -U postgres; fi
- >
php maintenance/install.php traviswiki admin
--pass travis
--dbtype "$dbtype"
--dbname traviswiki
--dbuser travis
--dbpass ""
--scriptpath "/w"
---

Have nice day!
Peter
ps.
If you feel like treating me to something extra for my time I appreciate the following:
(PayPal, cryptocurrency, voucher, swag, t-Shirt, cap, stickers.. etc)
... or just a thanks! ;)

Bug Bounty Profil:
https://www.openbugbounty.org/researchers/RickChase/
PayPal address: rxroawnhbcek at yandex.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-www/attachments/20190205/20e1a0a1/attachment.html>


More information about the kde-www mailing list