Critical Git Repository Leaked Internal Data
Description:
Git metadata directory (.git) was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of development changes to a set of source code before it is committed back to a central repository (and vice-versa). When code is rolled to a live server from a repository, it is supposed to be done as an export rather than as a local working copy, and hence this problem.
Affected URLs:
Impact:
GIT repository files can disclose GIT repository usernames and file lists. While disclosures of this type do not provide direct attack vectors, they can be useful for an attacker when combined with other vulnerabilities discovered within the application.
/.git/config
/.git/description
/.git/COMMIT_EDITMSG
/.git/FETCH_HEAD
/.git/logs/refs/heads/master
/.git/HEAD
/.git/info/exclude/
/.git/logs/HEAD
/.git/index/
/.git/logs/refs/remotes/origin/master
Git Tools:
You can use this tool to find websites with their .git repository available to the public
https://github.com/internetwache/GitTools
Mitigation:
Do not leave GIT repository files on production environments. If this is a business requirement, implement an access control mechanism in order to restrict public access to the GIT repository files.
