• Creation
  • Validation
  • Communication & fix
  • Disclosure

MijnLeuven.be / Credentials and info disclosure

reported 2021-09-26

Exposures

The .git folder is accessible and the whole source code can be downloaded.

The source code reveals an app/configuration/configuration.ini file containing production credentials :

; Required configuration file.

; MySQL section.
[MySQL]
host = "127.0.0.1"
user = "jeugdwerk_user"
password = "<redacted>"
database = "jeugdwerk"
trace = 0 ; Set to 1 to trace SQL statements, set to 0 to disable trace

; Facebook section
[Facebook]
appid = "236939726505949"
appsecret = "<redacted>"

; Regional section
[Regional]
language = "nl" ; For now only Dutch is supported.

.....

Resolution

  • The .git folder should be hidden/removed from the production and staging server
  • Credentials should be stored outside code repositories as much as possible

Notes

The staging website has the same configuration issue : https://jeugdwerk-staging.mijnleuven.be/

IP:
142.93.130.202
Port:
443
Detected protocol:
https
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = git@bitbucket.org:apptite/jeugdwerk.git
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
	remote = origin
	merge = refs/heads/master
[branch "development"]
	remote = origin
	merge = refs/heads/development
Found by GitConfigPlugin 2021-09-02
Report created by    BloodyShell  2021-09-26
Report edited by    BloodyShell  2021-09-26
Report approved by    7miMAU0bfJ  2021-09-26
New PDF report generated by system 2021-09-26
Report dispatched to ...@... by system 2021-09-26
system commented 2021-09-27: approved shows in report

Email from: lucwollants@gmail.com

Dear Security researcher BloodyShell,

Thanks for reporting the security issue with the exposed .git folder.
I added an Apache2 directory match to exclude the git folder.

How can I send you a token of gratitude for this valuable information?

Best Regards,
Luc

--
Mac users often swear by their Macs, whereas PC users often swear at their
PCs.

Report comment dispatched to BloodyShell by system 2021-09-27
Report comment dispatched to megabob by system 2021-09-27
Report comment dispatched to iampritam by system 2021-09-27
Report comment dispatched to lekol by system 2021-09-27
Report comment dispatched to lekol2 by system 2021-09-27
BloodyShell commented 2021-09-27: approved shows in report

Hi !

At the moment it seems I can still access https://jeugdwerk.mijnleuven.be/.git/config

Regards,

New PDF report generated by system 2021-09-27
Report comment dispatched to lucwollants@gmail.com by system 2021-09-27
system commented 2021-09-28: approved shows in report

Email from: lucwollants@gmail.com

Hi,

For me this is no longer possible to visit. I get a forbidden

Maybe browser caching? I tried with

curl https://jeugdwerk.mijnleuven.be/.git/config

On Mon, 27 Sept 2021 at 21:35, <
d9376c2a-6e98-4728-a01c-fd3f275ae2b9@reports.leakix.net> wrote:

> Hello,
>
> A new comment has been added to a LeakIX report your are subscribed to.
> Report ID d9376c2a-6e98-4728-a01c-fd3f275ae2b9
> <http://leakix.net/reports/d9376c2a-6e98-4728-a01c-fd3f275ae2b9>
> Owner *MijnLeuven.be*
> Title *Credentials and info disclosure*
> User BloodyShell
> Comment
>
> Hi !
>
> At the moment it seems I can still access https://jeugdwerk.mijnleuven.be/.git/config
>
> Regards,
>
> Thanks for your time!
> LeakIX prevention system
> support@leakix.net
> https://leakix.net/reports
>

--
Mac users often swear by their Macs, whereas PC users often swear at their
PCs.

Report comment dispatched to BloodyShell by system 2021-09-28
Report comment dispatched to iampritam by system 2021-09-28
Report comment dispatched to lekol by system 2021-09-28
Report comment dispatched to lekol2 by system 2021-09-28
Report marked as fixed by    BloodyShell  2021-09-28
BloodyShell commented 2021-09-28: approved shows in report

Looks perfect now !

Thanks for your time and prompt resolution !

New PDF report generated by system 2021-09-28
Report comment dispatched to lucwollants@gmail.com by system 2021-09-28
Report closed by    BloodyShell  2021-09-28
New PDF report generated by system 2021-09-28
Report edited by    BloodyShell  2021-09-28
New PDF report generated by system 2021-09-28
Report comment 84f07e approved by    BloodyShell  2021-10-07
New PDF report generated by system 2021-10-07
Report comment dispatched to BloodyShell by system 2021-10-07
Report comment dispatched to lucwollants@gmail.com by system 2021-10-07
Report comment b8739d approved by    BloodyShell  2021-10-07
New PDF report generated by system 2021-10-07
Report comment dispatched to BloodyShell by system 2021-10-07
Report comment dispatched to lucwollants@gmail.com by system 2021-10-07
Information
Owner MijnLeuven.be
Created 2021-09-26 16:21
Updated 2021-10-07 17:42
Fixed true

Contacts
l...@gmail.com

Status
Status closed
Hosting contacted false
CERT contacted false

Download report