Unprotected .git or .svn directories put your website at risk of information disclosure

dvcs_security

Version control software is very popular among web developers. The most used tool might be Git. Unfortunately the repository directory, e.g. .git is often unprotected in production environments. These folders not only contain the source code of a website but also database credentials, API access keys or tokens for popular cloud services like Amazon AWS, salts and hashes. Even more problematic is private data contained in sql dumps or csv files.

Studies e.g. by Internetwache.org or Jamie Brown show that a reasonable amount of websites is affected by this problem.

There are a lot of tools available which offer the possibility to download entire Git or Subversion repositories even if directory listing is denied.

To check if your Git folder is accessible via web just point your browser to www.domain.tld/.git/config. If you receive an error message, everything is fine. Otherwise you should protect your installation as soon as possible.

How to disable web access:

Apache

The easiest approach is the global web server configuration, e.g. /etc/apache2/conf.d/security or vhost configuration:

In shared hosting environments without direct access to the vhost configuration you can use the .htaccess file to deny access to repository folders:

Nginx

Put this snippet to the server-block of the nginx.conf file.

IIS 7+

This snippet must be placed in the web.config file or via the GUI.

 

By the way: all recent versions of TYPO3 already contain a protection for .git, .svn and .hg folders in the _.htaccess file. Simply rename the file to .htaccess to protect your installation.

1 Comments

  1. For shared hosting the line has to be:
    RewriteRule ^.git [L,R=404],

    instead of
    RewriteRule .git [L,R=404]

    (This rule blocks eg. …user-uploads/images/birgit.jpg) ;-))

     

    Reply

Leave a Comment.