WebFaction
Community site: login faq

When you create a new Git application on WebFaction's control panel, a .htpasswd file is created with world-readable permissions. This means that anyone can access your private repositories by browsing to http://domain.com/path/to/git/.htpasswd, which contains a username and password-hash. (First the hash needs to be cracked, but that is easily done.)

To fix this:
1. The Git installer should set proper permissions on the .htpasswd file
2. Apache should be setup to protect all .htaccess and .htpasswd files, no matter what their file permissions are. (That is actually the default on Debian.)

Until one of those solutions can be implemented, I recommend updating the docs at http://docs.webfaction.com/software/git.html so that users can secure their repositories themselves.


I've posted a tad more information (and a line-by-line guide to securing your repositories) on my blog.

asked 11 Jan '11, 13:51

nyellin's gravatar image

nyellin
625
accept rate: 0%


This is not supposed to happen. I just checked this on my own account and can verify that it is not the case,

[root@web162 git]# ls -la
-rw-r--r--  1 lucidsky lucidsky    767 Jan 11 15:36 .htaccess
-rw-r--r--  1 lucidsky lucidsky     23 Jan 11 15:36 .htpasswd

Also when I visited http://domain.com/.htaccess I was prompted with an auth, so it is not world readable. Could you please submit a support ticket so we can see why your account did this?

permanent link

answered 11 Jan '11, 15:40

johns's gravatar image

johns ♦♦
4.8k29
accept rate: 23%

I've done some more testing in a clean browser and I can reproduce this again. As you pointed out, .htaccess is protected, but .htpasswd is not protected.

To test this, I recommend creating a new git application from the control panel, as this will (temporarily) expose your repositories. If you want to test on your existing git application, then:
1. Make sure you have the default .htaccess file (which doesn't restrict access to ^.ht files.
2. Make sure that both .htaccess and .htpasswd have world-readable permissions (i.e. -rw-r--r--)

(12 Jan '11, 01:57) nyellin nyellin's gravatar image

When fixing this, keep in mind that git repositories which have enabled anonymous read-only access don't use any sort of authentication at all. So there's also an easy privilege escalation attack right now.

(12 Jan '11, 02:06) nyellin nyellin's gravatar image

When I visit,

domain.com/.htpasswd

I am prompted with a login box, asking for a user/password

When I browse the file-system as another user, I can not see .htpasswd. since the home directory is blocked from other users by FACLs, How are you gaining access to it or .htaccess without your user authorization, exactly? Please submit a support ticket with the exact URL.

(12 Jan '11, 19:43) johns ♦♦ johns's gravatar image

Yes and No. If you have access to the repository in any form (as in, your own login) then you can use this method to see other people's usernames and perhaps find a hash collision to be able to submit commits masquerading as them. This is not a big vulnerability, but it's worth fixing.

nyellin is also correct about the privilege-escalation attack. Anonymous-read repositories expose the .htpasswd file directly; in essence, it would allow for someone to crack a commit password so that they could push to repositories that they should only be able to pull from.

We will now patch the installer.

(12 Jan '11, 21:31) ryans ♦♦ ryans's gravatar image
1

The installer patch has now been deployed. We will update the docs accordingly for anyone who already has an installed copy.

Thanks for your suggestion nyellin!

(12 Jan '11, 22:12) ryans ♦♦ ryans's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×106
×68
×4

question asked: 11 Jan '11, 13:51

question was seen: 3,520 times

last updated: 12 Jan '11, 22:12

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2016 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM