php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78942 /.git/ directory exposed at https://qa.php.net/.git/
Submitted: 2019-12-10 14:45 UTC Modified: 2019-12-10 22:59 UTC
From: r dot catterall dot 84 at gmail dot com Assigned: rasmus (profile)
Status: Closed Package: Systems problem
PHP Version: Irrelevant OS: N/A
Private report: No CVE-ID: None
View Developer Edit
 [2019-12-10 14:45 UTC] r dot catterall dot 84 at gmail dot com 
Description:
------------
The /.git/ directory is currently publicly available at the https://qa.php.net site. This allows an attacker to utilise publicly available tools such as GitTools (https://github.com/internetwache/GitTools) to download the exposed repository. With this repository it's possible to view all code (including underlying php source code) of all changes to the website since January 2014. 

Steps to reproduce. 

1. Obtain GitTools
2. Run the "extractor" script against the qa.php.net domain. (bash gitdumper.sh http://qa.php.net/.git/ qa-php-net"

Similar findings have been verified as a valid security vulnerability in the past. 

**Examples**
https://hackerone.com/reports/248693
https://hackerone.com/reports/173811
https://hackerone.com/reports/218465
https://hackerone.com/reports/221298

A comprehensive audit of the entire git history has not been completed at this time, which may reveal further passwords, api tokens, or source code that could be deemed sensitive. At a glance there may be sensitive information that is exposed. 

**pftt_report.php** - Exposing token check which isn't publicly known otherwise
```
if (md5($_POST['token'])!="b1cab611a6a4ae40693c0f0f9df16692") {
	exit_error("Invalid Token");
}
```

Source code which may aid an attacker in determining how to abuse file uploads to gain access to the server.
```
$report_name = trim($_FILES['report_file']['name']);
if (strlen($report_name) > 100) {
	$report_name = substr($report_name, 0, 100);
}
if (substr($report_name, -5) != ".html") {
	$report_name .= ".html";
}

// decide where to store it
$report_file = dirname($_SERVER['SCRIPT_FILENAME']) . "/reports/db/$branch/$revision/$report_name";
$report_dir = dirname($report_file);

// ensure dir exists
mkdir($report_dir, 0777, TRUE);

if ($fail_crash_count > 0) {
    $fh = fopen("$report_dir/FAIL_CRASH.txt", "w");
    fwrite($fh, "$fail_crash_count");
    fclose($fh);
    $fh = fopen("$$report_name.txt", "w");
    fwrite($fh, "$fail_crash_count");
    fclose($fh);
}

// report_file is stored locally in a temporary file, move that file to the permanent location
move_uploaded_file($_FILES['report_file']['tmp_name'], $report_file);
```

There are also multiple examples of SQL queries or other source snippets that could potentially aid an attacker. The owners of qa.php.net would be in the best position to assess potential risk. 

Test script:
---------------
N/A

Expected result:
----------------
N/A

Actual result:
--------------
N/A

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-10 17:14 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2019-12-10 17:14 UTC] nikic@php.net 
The qa.php.net repo (like all php.net websites) is public at http://git.php.net/?p=web/qa.git;a=summary, as such this is not a security issue. Of course, it would still be better to not expose .git via HTTP.
 [2019-12-10 17:20 UTC] cmb@php.net
-Package: *Configuration Issues +Package: Systems problem
 [2019-12-10 21:54 UTC] r dot catterall dot 84 at gmail dot com 
I apologize for not finding the repo. Clearly in that case it's not an issue. All the best.
 [2019-12-10 22:59 UTC] rasmus@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: rasmus
 [2019-12-10 22:59 UTC] rasmus@php.net 
I have blocked .git now
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 11:01:30 2024 UTC