- Creation
- Validation
- Communication & fix
- Disclosure
MijnLeuven.be / Credentials and info disclosure
BloodyShell
reported 2021-09-26
Exposures
The .git folder is accessible and the whole source code can be downloaded.
The source code reveals an app/configuration/configuration.ini file containing production credentials :
; Required configuration file.
; MySQL section.
[MySQL]
host = "127.0.0.1"
user = "jeugdwerk_user"
password = "<redacted>"
database = "jeugdwerk"
trace = 0 ; Set to 1 to trace SQL statements, set to 0 to disable trace
; Facebook section
[Facebook]
appid = "236939726505949"
appsecret = "<redacted>"
; Regional section
[Regional]
language = "nl" ; For now only Dutch is supported.
.....
Resolution
- The
.gitfolder should be hidden/removed from the production and staging server - Credentials should be stored outside code repositories as much as possible
Notes
The staging website has the same configuration issue : https://jeugdwerk-staging.mijnleuven.be/
IP:
142.93.130.202Port:
443Detected protocol:
httpsVulnerable URL:
https://jeugdwerk.mijnleuven.be/.git/config[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = git@bitbucket.org:apptite/jeugdwerk.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[branch "development"]
remote = origin
merge = refs/heads/development
Found by GitConfigPlugin 2021-09-02
Report created by
BloodyShell
2021-09-26
BloodyShell
2021-09-26
Report edited by
BloodyShell
2021-09-26
BloodyShell
2021-09-26
Report approved by
7miMAU0bfJ
2021-09-26
7miMAU0bfJ
2021-09-26
New PDF report generated by system 2021-09-26
Report dispatched to ...@... by system 2021-09-26
system
commented 2021-09-27:
approved
shows in report
Email from: lucwollants@gmail.com Dear Security researcher BloodyShell, Thanks for reporting the security issue with the exposed .git folder. I added an Apache2 directory match to exclude the git folder. How can I send you a token of gratitude for this valuable information? Best Regards, Luc -- Mac users often swear by their Macs, whereas PC users often swear at their PCs.
Report comment dispatched to BloodyShell by system 2021-09-27
Report comment dispatched to megabob by system 2021-09-27
Report comment dispatched to iampritam by system 2021-09-27
Report comment dispatched to lekol by system 2021-09-27
Report comment dispatched to lekol2 by system 2021-09-27
BloodyShell
commented 2021-09-27:
approved
shows in report
Hi ! At the moment it seems I can still access https://jeugdwerk.mijnleuven.be/.git/config Regards,
New PDF report generated by system 2021-09-27
Report comment dispatched to lucwollants@gmail.com by system 2021-09-27
system
commented 2021-09-28:
approved
shows in report
Email from: lucwollants@gmail.com Hi, For me this is no longer possible to visit. I get a forbidden Maybe browser caching? I tried with curl https://jeugdwerk.mijnleuven.be/.git/config On Mon, 27 Sept 2021 at 21:35, < d9376c2a-6e98-4728-a01c-fd3f275ae2b9@reports.leakix.net> wrote: > Hello, > > A new comment has been added to a LeakIX report your are subscribed to. > Report ID d9376c2a-6e98-4728-a01c-fd3f275ae2b9 > <http://leakix.net/reports/d9376c2a-6e98-4728-a01c-fd3f275ae2b9> > Owner *MijnLeuven.be* > Title *Credentials and info disclosure* > User BloodyShell > Comment > > Hi ! > > At the moment it seems I can still access https://jeugdwerk.mijnleuven.be/.git/config > > Regards, > > Thanks for your time! > LeakIX prevention system > support@leakix.net > https://leakix.net/reports > -- Mac users often swear by their Macs, whereas PC users often swear at their PCs.
Report comment dispatched to BloodyShell by system 2021-09-28
Report comment dispatched to iampritam by system 2021-09-28
Report comment dispatched to lekol by system 2021-09-28
Report comment dispatched to lekol2 by system 2021-09-28
Report marked as fixed by
BloodyShell
2021-09-28
BloodyShell
2021-09-28
BloodyShell
commented 2021-09-28:
approved
shows in report
Looks perfect now ! Thanks for your time and prompt resolution !
New PDF report generated by system 2021-09-28
Report comment dispatched to lucwollants@gmail.com by system 2021-09-28
Report closed by
BloodyShell
2021-09-28
BloodyShell
2021-09-28
New PDF report generated by system 2021-09-28
Report edited by
BloodyShell
2021-09-28
BloodyShell
2021-09-28
New PDF report generated by system 2021-09-28
Report comment 84f07e approved by
BloodyShell
2021-10-07
BloodyShell
2021-10-07
New PDF report generated by system 2021-10-07
Report comment dispatched to BloodyShell by system 2021-10-07
Report comment dispatched to lucwollants@gmail.com by system 2021-10-07
Report comment b8739d approved by
BloodyShell
2021-10-07
BloodyShell
2021-10-07
New PDF report generated by system 2021-10-07
Report comment dispatched to BloodyShell by system 2021-10-07
Report comment dispatched to lucwollants@gmail.com by system 2021-10-07
Information
Owner
MijnLeuven.be
Created
2021-09-26 16:21
Updated
2021-10-07 17:42
Fixed
true
Contacts
l...@gmail.com
Status
Status
closed
Hosting contacted
false
CERT contacted
false
Download report