Unprotected .git or .svn directories put your website at risk of information disclosure

Post author:Peter Kraume
Post published:November 25, 2015
Post category:OpenSource / Outside the Box / Tools / TYPO3 CMS
Post comments:1 Comment

dvcs_security

Version control software is very popular among web developers. The most used tool might be Git. Unfortunately the repository directory, e.g. .git is often unprotected in production environments. These folders not only contain the source code of a website but also database credentials, API access keys or tokens for popular cloud services like Amazon AWS, salts and hashes. Even more problematic is private data contained in sql dumps or csv files.

Studies e.g. by Internetwache.org or Jamie Brown show that a reasonable amount of websites is affected by this problem.

There are a lot of tools available which offer the possibility to download entire Git or Subversion repositories even if directory listing is denied.

To check if your Git folder is accessible via web just point your browser to www.domain.tld/.git/config. If you receive an error message, everything is fine. Otherwise you should protect your installation as soon as possible.

How to disable web access:

Apache

The easiest approach is the global web server configuration, e.g. /etc/apache2/conf.d/security or vhost configuration:

<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>

<DirectoryMatch "/\.svn">
Require all denied
</DirectoryMatch>

In shared hosting environments without direct access to the vhost configuration you can use the .htaccess file to deny access to repository folders:

RewriteEngine On
RewriteRule .git - [L,R=404]
RewriteRule .svn - [L,R=404]

Nginx

location ~ /.git/ {
deny all;
}

Put this snippet to the server-block of the nginx.conf file.

IIS 7+

<configuration>
	<system.webServer>
		<security>
			<requestFiltering>
				<hiddenSegments>
					<add segment=".git" />
					<add segment=".svn" />
				</hiddenSegments>
			</requestFiltering>
		</security>
	</system.webServer>
</configuration>

This snippet must be placed in the web.config file or via the GUI.

By the way: all recent versions of TYPO3 already contain a protection for .git, .svn and .hg folders in the _.htaccess file. Simply rename the file to .htaccess to protect your installation.

This Post Has One Comment

Nicolai 1 Feb 2016 Reply

For shared hosting the line has to be:
RewriteRule ^.git – [L,R=404],

instead of
RewriteRule .git – [L,R=404]

(This rule blocks eg. …user-uploads/images/birgit.jpg) ;-))

How to disable web access:

Apache

Nginx

IIS 7+

You Might Also Like

10 TYPO3 Commerce Solutions

TYPO3 Backend-User-Management

TYPO3 8LTS released : Important Changes

This Post Has One Comment

Leave a Reply Cancel reply