|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78942 /.git/ directory exposed at
Submitted: 2019-12-10 14:45 UTC Modified: 2019-12-10 22:59 UTC
From: r dot catterall dot 84 at gmail dot com Assigned: rasmus (profile)
Status: Closed Package: Systems problem
PHP Version: Irrelevant OS: N/A
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: r dot catterall dot 84 at gmail dot com
New email:
PHP Version: OS:


 [2019-12-10 14:45 UTC] r dot catterall dot 84 at gmail dot com
The /.git/ directory is currently publicly available at the site. This allows an attacker to utilise publicly available tools such as GitTools ( to download the exposed repository. With this repository it's possible to view all code (including underlying php source code) of all changes to the website since January 2014. 

Steps to reproduce. 

1. Obtain GitTools
2. Run the "extractor" script against the domain. (bash qa-php-net"

Similar findings have been verified as a valid security vulnerability in the past. 


A comprehensive audit of the entire git history has not been completed at this time, which may reveal further passwords, api tokens, or source code that could be deemed sensitive. At a glance there may be sensitive information that is exposed. 

**pftt_report.php** - Exposing token check which isn't publicly known otherwise
if (md5($_POST['token'])!="b1cab611a6a4ae40693c0f0f9df16692") {
	exit_error("Invalid Token");

Source code which may aid an attacker in determining how to abuse file uploads to gain access to the server.
$report_name = trim($_FILES['report_file']['name']);
if (strlen($report_name) > 100) {
	$report_name = substr($report_name, 0, 100);
if (substr($report_name, -5) != ".html") {
	$report_name .= ".html";

// decide where to store it
$report_file = dirname($_SERVER['SCRIPT_FILENAME']) . "/reports/db/$branch/$revision/$report_name";
$report_dir = dirname($report_file);

// ensure dir exists
mkdir($report_dir, 0777, TRUE);

if ($fail_crash_count > 0) {
    $fh = fopen("$report_dir/FAIL_CRASH.txt", "w");
    fwrite($fh, "$fail_crash_count");
    $fh = fopen("$$report_name.txt", "w");
    fwrite($fh, "$fail_crash_count");

// report_file is stored locally in a temporary file, move that file to the permanent location
move_uploaded_file($_FILES['report_file']['tmp_name'], $report_file);

There are also multiple examples of SQL queries or other source snippets that could potentially aid an attacker. The owners of would be in the best position to assess potential risk. 

Test script:

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-10 17:14 UTC]
-Type: Security +Type: Bug
 [2019-12-10 17:14 UTC]
The repo (like all websites) is public at;a=summary, as such this is not a security issue. Of course, it would still be better to not expose .git via HTTP.
 [2019-12-10 17:20 UTC]
-Package: *Configuration Issues +Package: Systems problem
 [2019-12-10 21:54 UTC] r dot catterall dot 84 at gmail dot com
I apologize for not finding the repo. Clearly in that case it's not an issue. All the best.
 [2019-12-10 22:59 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: rasmus
 [2019-12-10 22:59 UTC]
I have blocked .git now
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 18:01:29 2024 UTC