• Creation
  • Validation
  • Communication & fix
  • Disclosure

mysirani.com / Source and credentials leak through exposed git directory

zythop reported 2021-10-14

The following URL is publicly accessible and is leaking source code : https://165.22.209.140/.git/config

Additionally the GIT credentials are present and could give unauthorized access to source code repository of private projects.

IP:
165.22.209.140
Port:
443
Detected protocol:
https
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = https://<redacted>@gitlab.com/bent_ray_tech/mentalhealth.git
	fetch = +refs/heads/*:refs/remotes/origin/*
Found by GitConfigPlugin 2021-10-03
IP:
165.22.209.140
Port:
443
Detected protocol:
https
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = https://<redacted>@gitlab.com/bent_ray_tech/mentalhealth.git
	fetch = +refs/heads/*:refs/remotes/origin/*
Found by GitConfigPlugin 2021-11-30
IP:
165.22.209.140
Port:
443
Detected protocol:
https
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = https://<redacted>@gitlab.com/bent_ray_tech/mentalhealth.git
	fetch = +refs/heads/*:refs/remotes/origin/*
Found by GitConfigPlugin 2021-12-01
Report created by zythop  2021-10-14
Report approved by BloodyShell  2021-10-16
New PDF report generated by system 2021-10-16
Report dispatched to ...@... by system 2021-10-16
system commented 2022-01-05: approved shows in report

bip! I'm a LeakIX probe.

This issue looks like it has been resolved!

New PDF report generated by system 2022-01-05
Report comment dispatched to zythop by system 2022-01-05
Report comment dispatched to info@mysirani.com by system 2022-01-05
Report marked as fixed by BloodyShell  2022-01-05
Report closed by BloodyShell  2022-01-05
New PDF report generated by system 2022-01-05
Report edited by zythop  2022-01-06
New PDF report generated by system 2022-01-06
Information
Owner mysirani.com
Created 2021-10-14 17:53
Updated 2022-01-06 12:20
Fixed true

Contacts
i...@mysirani.com

Status
Status closed
Hosting contacted false
CERT contacted false

Download report