Git repository on my IT Flow server is publicly accessible

alphaTECH

I used nmap just now to check the security of my home server from the internet at large, and was surprised to see a publicly accessible Git repository at mydomain.com/.git

Is this an oversight? I used the script to install IT Flow on a fresh Debian OS a few months ago.

alphaTECH

It's not just my setup either, I've found another at one of our users' sites too.

I've heard leaving this open can lead to "git scraping" although I haven't found any sensitive information in these directories so I'm sort of on the fence if I need to be worried or not.

wrongecho

You can restrict Web access with htaccess if you wish, but I've never seen an issue with this?

qduchenne

BTW you should adjust your apache settings so you don't provide that much info to potential hacker 😉

@johnny & @wrongecho that's something you might want to add to your install script 😉

What I've done :

cd /etc/apache2/conf-enabled
sudo nano /etc/apache2/conf-enabled/security.conf

Change :

ServerSignature Off
ServerTokens Prod

Add :
Header always set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "same-origin"

sudo service apache2 restart

wrongecho

qduchenne

Thanks for sharing. There's always a debate whether this actually helps security, but I can't see a proglem with doing it.

Given that Apache ships with the header on, I don't see why the script should really interfere - it's just something else that can potentially break.

Not against a Security Hardening doc page though.

qduchenne

wrongecho We work with a lot of whitehats in my company and this is one of the first thing they check.

Now we cannot deploy a new server without those anymore 😉

Flerp

wrongecho whether

Change it to UPDATE `itflow`.`users` SET `user_token` = '' WHERE (`user_id` = '1');
and that worked, since I think it was just setting it to the string NULL rather than actual null, thank you

johnny

I like all that! We will work on adding these things into the install script

MMRHC

Reading that X-Frame-Options is no longer recommended.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Also, reading XSS protection can potentially create XSS vulnerabilities.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

I think "RedirectMatch 404 /\.git" in the same file will address the OP concern.

wrongecho

MMRHC

You are more than welcome to assist with moving to CSP, reference this issue in any PRs - itflow-org/itflow1036

alphaTECH

MMRHC Perfect, that solved it. It was an option that just needed to be "switched on" too.

E-werd

A couple other thoughts on this…

You probably shouldn't be allowing directory listings in any case. Disable autoindex witha2dismod autoindex and restart apache should fix that part.
The app doesn't really need to expose hidden folders to the clients, so just deny access to them. I don't use apache, but in nginx this does it just fine in the server block:

location ~ /\. {

deny all;

}

wrongecho

E-werd

To be clear here, the install script was written by a community member. How you configure Apache, Nginx, god forbid IIS, isn't really anything to do with the core app. This is great general web hosting advice though.