Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version Control Systems data leak #281

Open
bright-security bot opened this issue Jul 9, 2023 · 0 comments
Open

Version Control Systems data leak #281

bright-security bot opened this issue Jul 9, 2023 · 0 comments

Comments

@bright-security
Copy link

Version Control Systems data leak

Severity: High Discovered: 09 of July-2023, 01:36 PM

CWE ID

CWE-527

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

A misconfigured setting in the remote server allows to list and access version control system files which should not be present and accessible from a remote location

Possible exposure

Data leakage, Access to unauthorized information

Remediation suggestions

Make sure to remove all VCS artifacts from production servers, if those are strictly needed make sure they are not accessible via remote HTTP access

Request

GET https://brokencrystals.com/.git/HEAD?email=&message=NexPloitData&name=gadi&subject=abc8d5c8968 HTTP/1.1
Referer: https://brokencrystals.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/106.0.5249.119 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: identity
cookie: connect.sid=Ql71I4Ub3AK8ljMCQs1l8T1X5NrOi_Ex.swwAm2VHNL192QuozypyOX7PZ6bxLWfOWiqFSqrmeGc; bc-calls-counter=1688909780722
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4iLCJleHAiOjE2ODczMzg5MDB9.Tct-MaLY5LU49s0IR6i-ydQtnG32Hw3OqxD06fu5fZWagWbo2ICsDOPQTKvSPrvZB1c0LzdsEKD_OVzic6KoJ88PvXIuUgh5nHq11q6baEocW8R9yxQjpCDH6rWu90GWeV-X9OgZewVTTWvSIrPL23UE7axbwoh0yQZJOVP4pRLZC85VRVgzUABTY-mk2sxJtu824r3wZBc7mK5rCooW1E88EcZ15UVWBwXjGDZy28ziFTfx1MtMmN13bm9_sQlhnXLd6B1KP_Fb-RlnfByoCXRd7kowwRIZbUqHXwaOHDTnP6uogeeTlT0KNrmaJZoWWmYpmlCbw1KdLiqjWnU2UrqMa9A1fCbuZQf5192NnPE-Htz3y3k_BEScMCg2rKr8jDGIREZxvajRgIcNWUDsgKSrSNGyR6o-iAMOXkvY58LU7W6ERuWYaw7ulUqdY2MNAYOHmQdQF3SML-Ng2bkIHvuiWa_gLVRW75fJypzLz3Cpi6gz8M-OF2hR1t7d8u0xBjjCGfJUTte6oa7Qip5S_K8taxMTyBzYaSgZt6NWgXKiX8j9XDEy8Sr-GITRPAElzOMj-ezTBdvxWc8-C4xt00JVspiewPCFvlu6gbh8GyoGftgXHcdaXDvQoqk2rc44cnJ1NPayuT-Y7qb5DaMn-YWVrtNtELRdJyzVD-lmtsw

Response

HTTP/1.1 200
Date: Sun, 09 Jul 2023 13:36:21 GMT
Content-Type: application/octet-stream
Content-Length: 23
Connection: keep-alive
Last-Modified: Mon, 22 May 2023 04:18:40 GMT
ETag: "646aed20-17"
Accept-Ranges: bytes
Strict-Transport-Security: max-age=15724800; includeSubDomains
Cache-Control: public, max-age=99999

ref: refs/heads/master

External links
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants