• Creation
  • Validation
  • Communication & fix
  • Disclosure

pixical.com / Source and credentials leak through exposed git directory

zythop reported 2021-10-25

The following URL is publicly accessible and is leaking source code : https://18.207.182.35/.git/config

Additionally the GIT credentials are present and could give unauthorized access to source code repository of private projects.

IP:
18.207.182.35
Port:
443
Detected protocol:
https
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = https://xxxx@gitlab.com/better-ed-internal/pixical-homepage.git
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
	remote = origin
	merge = refs/heads/master
Found by GitConfigPlugin 2021-10-21
Report created by zythop  2021-10-25
Report approved by BloodyShell  2021-10-25
New PDF report generated by system 2021-10-25
Report dispatched to ...@... by system 2021-10-25
Report dispatched to ...@... by system 2021-10-25
Report edited by BloodyShell  2021-10-30
New PDF report generated by system 2021-10-30
Report dispatched to ...@... by system 2021-10-30
Report comment dispatched to BloodyShell by system 2021-10-30
Report comment dispatched to iampritam by system 2021-10-30
Report comment dispatched to fokoil by system 2021-10-30
Report comment dispatched to BloodyShell by system 2021-10-31
Report comment dispatched to iampritam by system 2021-10-31
Report comment dispatched to fokoil by system 2021-10-31
system commented 2021-11-02: approved shows in report

Email from: chethan@better.club

Dear Team,

Thanks for bringing this issue to our attention. We'd like to inform you
that we have plugged the unrestricted access from our side and this issue
should not exist anymore.

Eg. curl https://pixical.com/.git/config

Regards,
Chethan Rao

Report comment dispatched to BloodyShell by system 2021-11-02
Report comment dispatched to iampritam by system 2021-11-02
Report comment dispatched to fokoil by system 2021-11-02
Report marked as fixed by iampritam  2021-11-02
Report comment 1692cf approved by BloodyShell  2021-11-02
New PDF report generated by system 2021-11-02
Report comment dispatched to zythop by system 2021-11-02
Report comment dispatched to privacy@pixical.com by system 2021-11-02
Report comment dispatched to hey@pixical.com by system 2021-11-02
Report comment dispatched to abuse@amazonaws.com by system 2021-11-02
Report comment dispatched to BloodyShell by system 2021-11-02
Report comment dispatched to iampritam by system 2021-11-02
Report comment dispatched to fokoil by system 2021-11-02
Report closed by BloodyShell  2021-11-02
New PDF report generated by system 2021-11-02
Report edited by BloodyShell  2021-11-02
New PDF report generated by system 2021-11-02
Information
Owner pixical.com
Created 2021-10-25 06:48
Updated 2021-11-02 20:01
Fixed true

Contacts
p...@pixical.com
h...@pixical.com
a...@amazonaws.com

Status
Status closed
Hosting contacted false
CERT contacted false

Download report