.git folder is accessible and the whole source code can be downloaded.
The source code reveals an
app/configuration/configuration.ini file containing production credentials :
; Required configuration file. ; MySQL section. [MySQL] host = "127.0.0.1" user = "jeugdwerk_user" password = "<redacted>" database = "jeugdwerk" trace = 0 ; Set to 1 to trace SQL statements, set to 0 to disable trace ; Facebook section [Facebook] appid = "236939726505949" appsecret = "<redacted>" ; Regional section [Regional] language = "nl" ; For now only Dutch is supported. .....
.gitfolder should be hidden/removed from the production and staging server
The staging website has the same configuration issue : https://jeugdwerk-staging.mijnleuven.be/
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = email@example.com:apptite/jeugdwerk.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master [branch "development"] remote = origin merge = refs/heads/development
Email from: firstname.lastname@example.org Dear Security researcher BloodyShell, Thanks for reporting the security issue with the exposed .git folder. I added an Apache2 directory match to exclude the git folder. How can I send you a token of gratitude for this valuable information? Best Regards, Luc -- Mac users often swear by their Macs, whereas PC users often swear at their PCs.
Hi ! At the moment it seems I can still access https://jeugdwerk.mijnleuven.be/.git/config Regards,
Email from: email@example.com Hi, For me this is no longer possible to visit. I get a forbidden Maybe browser caching? I tried with curl https://jeugdwerk.mijnleuven.be/.git/config On Mon, 27 Sept 2021 at 21:35, < firstname.lastname@example.org> wrote: > Hello, > > A new comment has been added to a LeakIX report your are subscribed to. > Report ID d9376c2a-6e98-4728-a01c-fd3f275ae2b9 > <http://leakix.net/reports/d9376c2a-6e98-4728-a01c-fd3f275ae2b9> > Owner *MijnLeuven.be* > Title *Credentials and info disclosure* > User BloodyShell > Comment > > Hi ! > > At the moment it seems I can still access https://jeugdwerk.mijnleuven.be/.git/config > > Regards, > > Thanks for your time! > LeakIX prevention system > email@example.com > https://leakix.net/reports > -- Mac users often swear by their Macs, whereas PC users often swear at their PCs.
Looks perfect now ! Thanks for your time and prompt resolution !