php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78942 /.git/ directory exposed at https://qa.php.net/.git/
Submitted: 2019-12-10 14:45 UTC Modified: 2019-12-10 22:59 UTC
From: r dot catterall dot 84 at gmail dot com Assigned: rasmus (profile)
Status: Closed Package: Systems problem
PHP Version: Irrelevant OS: N/A
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: r dot catterall dot 84 at gmail dot com
New email:
PHP Version: OS:

 

 [2019-12-10 14:45 UTC] r dot catterall dot 84 at gmail dot com
Description:
------------
The /.git/ directory is currently publicly available at the https://qa.php.net site. This allows an attacker to utilise publicly available tools such as GitTools (https://github.com/internetwache/GitTools) to download the exposed repository. With this repository it's possible to view all code (including underlying php source code) of all changes to the website since January 2014. 

Steps to reproduce. 

1. Obtain GitTools
2. Run the "extractor" script against the qa.php.net domain. (bash gitdumper.sh http://qa.php.net/.git/ qa-php-net"

Similar findings have been verified as a valid security vulnerability in the past. 

**Examples**
https://hackerone.com/reports/248693
https://hackerone.com/reports/173811
https://hackerone.com/reports/218465
https://hackerone.com/reports/221298

A comprehensive audit of the entire git history has not been completed at this time, which may reveal further passwords, api tokens, or source code that could be deemed sensitive. At a glance there may be sensitive information that is exposed. 

**pftt_report.php** - Exposing token check which isn't publicly known otherwise
```
if (md5($_POST['token'])!="b1cab611a6a4ae40693c0f0f9df16692") {
	exit_error("Invalid Token");
}
```

Source code which may aid an attacker in determining how to abuse file uploads to gain access to the server.
```
$report_name = trim($_FILES['report_file']['name']);
if (strlen($report_name) > 100) {
	$report_name = substr($report_name, 0, 100);
}
if (substr($report_name, -5) != ".html") {
	$report_name .= ".html";
}

// decide where to store it
$report_file = dirname($_SERVER['SCRIPT_FILENAME']) . "/reports/db/$branch/$revision/$report_name";
$report_dir = dirname($report_file);

// ensure dir exists
mkdir($report_dir, 0777, TRUE);

if ($fail_crash_count > 0) {
    $fh = fopen("$report_dir/FAIL_CRASH.txt", "w");
    fwrite($fh, "$fail_crash_count");
    fclose($fh);
    $fh = fopen("$$report_name.txt", "w");
    fwrite($fh, "$fail_crash_count");
    fclose($fh);
}

// report_file is stored locally in a temporary file, move that file to the permanent location
move_uploaded_file($_FILES['report_file']['tmp_name'], $report_file);
```

There are also multiple examples of SQL queries or other source snippets that could potentially aid an attacker. The owners of qa.php.net would be in the best position to assess potential risk. 

Test script:
---------------
N/A

Expected result:
----------------
N/A

Actual result:
--------------
N/A

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-10 17:14 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2019-12-10 17:14 UTC] nikic@php.net
The qa.php.net repo (like all php.net websites) is public at http://git.php.net/?p=web/qa.git;a=summary, as such this is not a security issue. Of course, it would still be better to not expose .git via HTTP.
 [2019-12-10 17:20 UTC] cmb@php.net
-Package: *Configuration Issues +Package: Systems problem
 [2019-12-10 21:54 UTC] r dot catterall dot 84 at gmail dot com
I apologize for not finding the repo. Clearly in that case it's not an issue. All the best.
 [2019-12-10 22:59 UTC] rasmus@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: rasmus
 [2019-12-10 22:59 UTC] rasmus@php.net
I have blocked .git now
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Dec 05 10:01:26 2023 UTC