Improper Preservation of Permissions in tsolucio/corebos

Valid

Reported on

Feb 27th 2022


Git repository found

Description: Git metadata directory (.git) was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of development changes to a set of source code before it is committed back to a central repository (and vice-versa). When code is rolled to a live server from a repository, it is supposed to be done as an export rather than as a local working copy, and hence this problem.

Proof of Concept: visit the url: https://demo.corebos.com/.git/config

[core] repositoryformatversion = 0 filemode = false bare = false logallrefupdates = true [remote "origin"] url = https://github.com/tsolucio/corebos.git fetch = +refs/heads/:refs/remotes/origin/ [branch "master"] remote = origin merge = refs/heads/master

Impact GIT repository files can disclose GIT repository usernames and file lists. While disclosures of this type do not provide direct attack vectors, they can be useful for an attacker when combined with other vulnerabilities discovered within the application.

Occurrences

https://demo.corebos.com/.git/config

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 3 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 3 months ago
Joe Bordes validated this vulnerability 3 months ago
tharunavula has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the tsolucio/corebos team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the tsolucio/corebos team. We will try again in 10 days. 3 months ago
Joe Bordes confirmed that a fix has been merged on f9aafe 2 months ago
Joe Bordes has been awarded the fix bounty
FUNDING.yml#L2 has been validated
to join this conversation