Aged individuals are infants in the timber of individuals. Typically, they attempt to make use…
“The .git directory contains all of your [Git] repository data, such as configuration, commit history, and the actual content of each file. If you can get the complete contents of the .git folder for a particular site, you can access the raw source code for that site, and often other interesting configuration data such as database passwords, password salts, and more”, – wrote Galvin on his blog.
The developer complains that not everyone understands this. It’s not uncommon for people to accidentally copy their entire repository online, including the /.git folder, and forget to delete it. In addition, /.git folders are sometimes included in automated build chains or added to Docker containers.
Thus, hackers can scan the Internet for such folders, download their contents and gain access to confidential data and even to the source code.
“Web servers with directory listing enabled make these attacks particularly easy because it’s just a matter of recursively downloading each file in the .git directory and doing a git checkout. The attack is possible even if directory lists are disabled, but then it is often difficult to get the full repository”, — says the author of Gitjacker.
Galvin explains that Gitjacker was designed specifically to download and fetch repositories even when directory listing is disabled. At the same time, the researcher was creating a tool for use in penetration tests, but, most likely, the capabilities of Gitjacker will appreciated the attackers, who often use open source solutions for attacks, and, for example, legal projects like Pastebin for the distribution of malware.
Unfortunately, /.git folders are still often found in the public domain. For example, in 2018, a Czech expert crawled over 230 million sites and found that 390,000 of them contained open /.git folders, and as a result, this problem was fixed in only 150,000 cases.
Let me remind you that researchers present tools for scanning computers for BlueKeep vulnerability.
News-bfopeci.info is a domain that tries to force you into subscribing to its browser notifications…
News-bfugaho.info is a site that tries to force you into clik to its browser notifications…
News-bganise.info is a domain that tries to trick you into clik to its browser notifications…
News-xhijupa.com is a domain that tries to trick you into subscribing to its browser notifications…
News-xnicini.cc is a domain that tries to trick you into subscribing to its browser notifications…
News-xpafema.cc is a site that tries to trick you into subscribing to its browser notifications…