Skip to content

Publicly Accessible .git directory #33

New issue
New issue
Open
Open
Publicly Accessible .git directory#33
Assignees
sachin-maheshwari
@jswheeler

Description

@jswheeler
jswheeler
opened on Apr 13, 2021

The https://submission-review.topcoder.com/.git/HEAD file is accessible meaning that the Git repository can potentially be mirrored.

##Steps To Reproduce:##

  1. Visit https://submission-review.topcoder.com/.git/HEAD
  2. Use a tool such as https://github.com/arthaud/git-dumper to dump the Git repository
  3. Checkout the latest commit to obtain a copy of the working tree

##Supporting Material/References:##
Result of requesting URL: ref: refs/heads/master

##Impact##
By checking out the latest commit from the dumped Git repository, all version controlled objects for the application can be accessed. This could include source code and secrets which should not be publicly accessible.
No attempt has been made to dump the Git repository for further analysis, however this can be done if necessary in order to ascertain further details of a potential impact.

##Source:##
https://topcoder.atlassian.net/browse/VULN-1591

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions