Unprotected .git or .svn directories put your website at risk of information disclosure

Version control software is very popular among web developers. The most used tool might be Git. Unfortunately the repository directory, e.g. .git is often unprotected in production environments. These folders not only contain the source code of a website but also database credentials, API access keys or tokens for popular cloud services like Amazon AWS, salts and hashes. Even more problematic is private data contained in sql dumps or csv files. Studies e.g. by Internetwache.org or Jamie Brown show that a reasonable amount of websites is affected by this problem. There are a lot of tools available which offer the possibility to download entire Git or Subversion repositories even if directory listing is denied. To check if your Git folder is accessible via web just point your browser to www.domain.tld/.git/config. If you receive an error message, everything is fine. Otherwise you should protect your installation as soon as possible. How to disable web access: Apache The easiest approach is the global web server configuration, e.g. /etc/apache2/conf.d/security or vhost configuration: Apache <DirectoryMatch "/\.git"> Require all denied </DirectoryMatch> 123 <DirectoryMatch "/\.git">Require all denied</DirectoryMatch> Apache <DirectoryMatch "/\.svn"> Require all denied </DirectoryMatch> 123 <DirectoryMatch "/\.svn">Require all denied</DirectoryMatch> In shared hosting environments without direct access to the vhost configuration you can use the .htaccess file to deny access to repository folders: Apache RewriteEngine On RewriteRule .git - [L,R=404] RewriteRule .svn - [L,R=404] 123 RewriteEngine...

Read More