BACK

Exposed Source Code Git

How I accidentally exposed my WordPress website’s source code through Git

This is an article on how I accidentally exposed my WordPress website’s source code through the .git repository and how I fixed it.

Introduction

I have accidentally read an article – “Don’t publicly expose .git or how we downloaded your website’s sourcecode – An analysis of Alexa’s 1M”. The article is fairly old, written in 2015.

In this article internetwache team explains how .git repository or a simple misconfiguration in the server might expose your website’s source code. They also show how you can easily get the victim’s website source code by downloading .git repository and executing a few commands on the terminal.

For example, that’s how my exposed production server’s WordPress root directory looked like:

Due to server misconfiguration, my .git repository was accessible at https://victorlava.com/.git/ thus downloadable using the wget command. For example:

wget --mirror -I .git https://victorlava.com/.git/ 

How to check if your WordPress website’s source code is exposed?

Simple – just visit your website at https://$yourwebsite.com/.git/. If you see the directory listing then you are exposed and you need to act fast.

Solutions

Remove .git

The easiest solution is to just remove the Git versioning for your project.

rm -rf .git

However, it’s not the best solution in my opinion. What if your project depends on the versioning system and you can’t get rid of it?

Disable directory listing

The solution is simple and great – do not have directory listing enabled on your production server!

<Directory /var/www/victorlava>
      Options -Indexes
</Directory>

Okay, this is better, now I can have git versioning system and my source code is not reachable anymore. However, what if I still need a directory listing enabled and git versioning system for my project, but I do not prefer to be exposed?

Deny matched directories

There’s a rule to deny only matched directories. Open your web server’s configuration file – I am using the Apache web server so my configuration file is here /etc/apache2/sites-available/victorlava-com.conf, and let’s deny the .git repository globally. For example:

<DirectoryMatch "^/.*/\.git/">
    Require all denied
</DirectoryMatch>

Nginx

This is the code for the Nginx web server.

location ~ /.git/ {
      deny all;
}

Conclusion

That’s why you never store your credentials in a .git repository

It’s worth noting that this might work on other content management systems as well as programming frameworks like Laravel. Just be thoughtful when using .git in production server: remove directory listing or deny access with DirectoryMatch rule and never store your credentials in a .git repository!

By the way, read the full article, it’s good – they also made an analysis on how many websites were affected by this misconfiguration at that time.

References

Newsletter

Get my content to your inbox every Monday. I promise, no spam included!