Website vulnerability!

Nicolás Alvarez nicolas.alvarez at gmail.com
Thu May 7 22:51:41 BST 2020


The repository only contains MediaWiki, which is open source. There are no credentials in git.

I thought we had already blocked that (just to stop all these "security" reports without any evidence of impact). Turns out the config file got lost in a server move. It's now blocked.

> El 7 may. 2020, a la(s) 17:31, Peter K <s1ak at protonmail.com> escribió:
> 
> Hi,
> 
> My name is Peter and I'm a security researcher/white hat/ethical hacker from Hungary.
> 
> I detected a security problem on your website.
> 
> Details of the Vulnerability:
> 
> The problem is you have a publicly available git repository on your website. You can check it by visiting https://techbase.kde.org/.git/HEAD.
> When you visit the directory https://techbase.kde.org/.git you usually get 403 error because there is no index.html/.php file and you don’t allow to show the directory listing/autoindex (if you can see the directory structure you have a misconfigured webserver – it is another type of vulnerability).
> Despite 403 it is possible to access the files directly:
> 
> https://techbase.kde.org/.git/logs/HEAD – it is the list of commits with details about commiteers.
> 
> The structure of git repository is well known, so it is possible to found references to the objects/packs in the repository, download them via direct requests and reconstruct the repository and obtain your files – not only the current ones, but also the past files.
> It is a bad idea to store DB credentials and various API tokens in the repository, but many developers don’t follow the best practices and the vulnerability is really serious in this case.
> It is not always possible to download the complete repo, but there are many other interesting information still, e.g. https://techbase.kde.org/.git/index – it is a binary file and it reveals the structure of your application, libs used, endpoints, inernal files etc.
> Sometimes you can find the address of unsecured WYSIWYG editors with the file uploader – unfortunatelly it is really common.
> 
> ! Some case from the exposed .git folder, the attacker recoverable the website source files, config files, tokens, keys or backups !
> 
> Have nice day!
> 
> Peter
> s1ak at protonmail.com
> 
> ps.If you feel like treating me to something extra for my time I appreciate the following:
> (PayPal, cryptocurrency, voucher, swag, t-Shirt, cap, stickers, buy me something from my amazon wish list ... or just a thanks! ;)
> 
> 
> -----------------------------------------------------------------------
> Bug Bounty Profil:
> https://www.openbugbounty.org/researchers/RickChase/
> PayPal address: rxroawnhbcek at yandex.com
> 
> Sent with ProtonMail Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-www/attachments/20200507/e2ca9f08/attachment.htm>


More information about the kde-www mailing list