Skip to main content

Sorcery Blog

Exposed .git Folder and How To Remediate it

Discovery

Usually we find this when directory bruteforce returns positive results from the following urls:

http://site.com/.git/
http://site.com/.git/config
http://site.com/.git/HEAD
http://site.com/.git/index

Many times the .git/ may be 403 (due to directory listing being disabled) but the files within it are downloadable. A lot of the git files are at known paths and the rest can be worked out from the known files so it is still exploitable as long as the files are downloadable.

Exploitation

If directory listing is enabled (we can see the files in the folder) we can use this command to download the files:

wget -e robots=off -r --no-check-certificate --no-parent http://site.com/.git/
git checkout -f

Alternatively if we don’t have directory listing we can use arthaud’s git-dumper to download the git files:

python3 git-dumper.py -j 8 http://site.com/.git site.com_git

Usually “git checkout -f .” will recover the files from the .git folder but that can fail if files are missing. When this happens you can use

git fsck --name-objects
git ls-tree --full-tree HEAD

to get a list of the files and “git cat-file blob FILE_BLOB_HASH_HERE” to recover a specific file.

You should now have a copy of some or all of the website’s files. From here you can audit the source code for vulnerabilities or use credentials and API keys from the source code to gain more access. If there is keys/credentials/secrets in the source code it means that they are stored on the developers git repo which is considered bad practice.

Patching

How you fix this issue depends on your environment. If you don’t actively use git to update your site then you can simply remove the .git . If you actively use it you should consider putting the website root folder in a directory in your git so your structure would look something like this:

.git
siteroot/
siteroot/index.php

This way the .git directory isnt in your webroot and exposed to the internet.

Webserver Filtering

You can also add rules to your webserver to prevent vistors from downloading files from .git .

Htaccess

If your server or project uses htaccess files add this line:

RewriteRule "(^|/)\.(?!well-known\/)" - [F]

Apache

Add rule to httpd.conf or relevant site config.

<DirectoryMatch "^/.*/\.git/">
    Require all denied
</DirectoryMatch>

That rule only filters .git requests. A better catch-all rule would be:

<Directory ~ "/\.(?!well-known\/)">
    Require all denied
</Directory>

This will filter requests for paths beginning with a dot so protects against other similar exposures.

Nginx

Add rule to server block in nginx config.

location ~ /.git/ {
    deny all;
}

That rule only filters .git requests. A better catch-all rule would be:

location ~ /\.(?!well-known).* {
    deny all;
}

This will filter requests for paths beginning with a dot so protects against other similar exposures.

Changelog

Date Change
23/11/2020 Blog post released
10/12/2020 Added part about recovering files from incomplete git folders
https://blog.sorcery.ie/posts/git-directory-exposure/ Sorcery Ltd