Website misconfiguraton!

Nicolás Alvarez nicolas.alvarez at gmail.com
Tue Feb 5 23:43:40 GMT 2019 

> On 5 Feb 2019, at 19:04, Peter K. <rxroawnhbcek at yandex.com> wrote:
> 
> Hi,
> 
> My name is Peter and I'm a security researcher/white hat/ethical hacker from Hungary.
> 
> I detected a security problem on your website.
> 
> Details of the Vulnerability:
> 
> The problem is you have a publicly available git repository on your website. You can check it by visiting https://community.kde.org/.git/HEAD.
> When you visit the directory https://community.kde.org/.git you usually get 403 error because there is no index.html/.php file and you don’t allow to show the directory listing/autoindex (if you can see the directory structure you have a misconfigured webserver – it is another type of vulnerability).
> Despite 403 it is possible to access the files directly:
> 
> https://community.kde.org/.git/logs/HEAD – it is the list of commits with details about commiteers.

That's not a security problem. As you can see in https://community.kde.org/.git/config it's just a clone of the public repository of MediaWiki.

There is no private code (MediaWiki is open source), and there are no credentials, there is nothing in that .git folder that isn't already public in the official upstream MediaWiki repository.

> 
> FYI!
> Readable file with sensitive credentials!
> /.travis.yml
> ---
>   - if [ "$dbtype" = postgres ]; then psql -c "CREATE DATABASE traviswiki WITH OWNER travis;" -U postgres; fi
>   - >
>       php maintenance/install.php traviswiki admin
>       --pass travis
>       --dbtype "$dbtype"
>       --dbname traviswiki
>       --dbuser travis
>       --dbpass ""
>       --scriptpath "/w"
> ---

Those are not sensitive credentials. The same file is in the public repository from Wikimedia Foundation:
https://phabricator.wikimedia.org/source/mediawiki/browse/master/.travis.yml

An exposed .git folder is not a security problem unless you can prove there is private content in it.

-- 
Nicolás
KDE Sysadmin Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-www/attachments/20190205/584c7aa4/attachment.html>

More information about the kde-www mailing list