login community faq

Please Fix: Git Repositories Are Insecure By Default

0

When you create a new Git application on WebFaction's control panel, a .htpasswd file is created with world-readable permissions. This means that anyone can access your private repositories by browsing to http://domain.com/path/to/git/.htpasswd, which contains a username and password-hash. (First the hash needs to be cracked, but that is easily done.)

To fix this:
1. The Git installer should set proper permissions on the .htpasswd file
2. Apache should be setup to protect all .htaccess and .htpasswd files, no matter what their file permissions are. (That is actually the default on Debian.)

Until one of those solutions can be implemented, I recommend updating the docs at http://docs.webfaction.com/software/git.html so that users can secure their repositories themselves.

I've posted a tad more information (and a line-by-line guide to securing your repositories) on my blog.

asked Jan 11 '11 at 13:51

nyellin's gravatar image

nyellin
65
One Answer:
oldestnewestmost voted
1

This is not supposed to happen. I just checked this on my own account and can verify that it is not the case, 

1
2
3
[root@web162 git]# ls -la
-rw-r--r--  1 lucidsky lucidsky    767 Jan 11 15:36 .htaccess
-rw-r--r--  1 lucidsky lucidsky     23 Jan 11 15:36 .htpasswd

Also when I visited http://domain.com/.htaccess I was prompted with an auth, so it is not world readable. Could you please submit a support ticket so we can see why your account did this?

answered Jan 11 '11 at 15:40

johns's gravatar image

johns ♦♦
345427

I've done some more testing in a clean browser and I can reproduce this again. As you pointed out, .htaccess is protected, but .htpasswd is not protected.

To test this, I recommend creating a new git application from the control panel, as this will (temporarily) expose your repositories. If you want to test on your existing git application, then:
1. Make sure you have the default .htaccess file (which doesn't restrict access to ^.ht files.
2. Make sure that both .htaccess and .htpasswd have world-readable permissions (i.e. -rw-r--r--)

(Jan 12 '11 at 01:57) nyellin nyellin's gravatar image

When fixing this, keep in mind that git repositories which have enabled anonymous read-only access don't use any sort of authentication at all. So there's also an easy privilege escalation attack right now.

(Jan 12 '11 at 02:06) nyellin nyellin's gravatar image

When I visit,

1
domain.com/.htpasswd

I am prompted with a login box, asking for a user/password

When I browse the file-system as another user, I can not see .htpasswd. since the home directory is blocked from other users by FACLs, How are you gaining access to it or .htaccess without your user authorization, exactly? Please submit a support ticket with the exact URL.

(Jan 12 '11 at 19:43) johns ♦♦ johns's gravatar image

Yes and No. If you have access to the repository in any form (as in, your own login) then you can use this method to see other people's usernames and perhaps find a hash collision to be able to submit commits masquerading as them. This is not a big vulnerability, but it's worth fixing.

nyellin is also correct about the privilege-escalation attack. Anonymous-read repositories expose the .htpasswd file directly; in essence, it would allow for someone to crack a commit password so that they could push to repositories that they should only be able to pull from.

We will now patch the installer.

(Jan 12 '11 at 21:31) ryans ♦♦ ryans's gravatar image
1

The installer patch has now been deployed. We will update the docs accordingly for anyone who already has an installed copy.

Thanks for your suggestion nyellin!

(Jan 12 '11 at 22:12) ryans ♦♦ ryans's gravatar image
Your answer
If you have an answer to the above question, then use the form below. Otherwise, use the appropriate 'add new comment' button above to post your feedback.
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×81
×42
×4

Asked: Jan 11 '11 at 13:51

Seen: 1,881 times

Last updated: Jan 12 '11 at 22:12

Related questions

Git repository as a website

Many Simple SSL Certificates or One Multi-Domain MultiServer

security regarding webapp name

beanstalkd security

Unfuddle (Git Hosting) and Public Key

Git clone: Permission denied (publickey)

website for git repo returns 500 error

Git setup - automatic setup?

How to deploy with git?

How do I install the CVE-2011-0720 hotfix for Plone?

Plans & prices    Sign up    Why WebFaction?    Contact us    Affiliate program    Support    Legal    Jobs    Blog    Control panel login
Powered by OSQA
© Copyright 2003-2012 Swarma Limited - WebFaction is a service of Swarma Limited