Description:
------------
The /.git/ directory is currently publicly available at the https://qa.php.net site. This allows an attacker to utilise publicly available tools such as GitTools (https://github.com/internetwache/GitTools) to download the exposed repository. With this repository it's possible to view all code (including underlying php source code) of all changes to the website since January 2014. 

Steps to reproduce. 

1. Obtain GitTools
2. Run the "extractor" script against the qa.php.net domain. (bash gitdumper.sh http://qa.php.net/.git/ qa-php-net"

Similar findings have been verified as a valid security vulnerability in the past. 

**Examples**
https://hackerone.com/reports/248693
https://hackerone.com/reports/173811
https://hackerone.com/reports/218465
https://hackerone.com/reports/221298

A comprehensive audit of the entire git history has not been completed at this time, which may reveal further passwords, api tokens, or source code that could be deemed sensitive. At a glance there may be sensitive information that is exposed. 

**pftt_report.php** - Exposing token check which isn't publicly known otherwise
```
if (md5($_POST['token'])!="b1cab611a6a4ae40693c0f0f9df16692") {
	exit_error("Invalid Token");
}
```

Source code which may aid an attacker in determining how to abuse file uploads to gain access to the server.
```
$report_name = trim($_FILES['report_file']['name']);
if (strlen($report_name) > 100) {
	$report_name = substr($report_name, 0, 100);
}
if (substr($report_name, -5) != ".html") {
	$report_name .= ".html";
}

// decide where to store it
$report_file = dirname($_SERVER['SCRIPT_FILENAME']) . "/reports/db/$branch/$revision/$report_name";
$report_dir = dirname($report_file);

// ensure dir exists
mkdir($report_dir, 0777, TRUE);

if ($fail_crash_count > 0) {
    $fh = fopen("$report_dir/FAIL_CRASH.txt", "w");
    fwrite($fh, "$fail_crash_count");
    fclose($fh);
    $fh = fopen("$$report_name.txt", "w");
    fwrite($fh, "$fail_crash_count");
    fclose($fh);
}

// report_file is stored locally in a temporary file, move that file to the permanent location
move_uploaded_file($_FILES['report_file']['tmp_name'], $report_file);
```

There are also multiple examples of SQL queries or other source snippets that could potentially aid an attacker. The owners of qa.php.net would be in the best position to assess potential risk. 

Test script:
---------------
N/A

Expected result:
----------------
N/A

Actual result:
--------------
N/A