CyberInsights
The blog about your IT security

.git directory: How to close security vulnerabilities

Actually, this gap should have been history long ago, because it has been known and well documented since 2015. The result of our scans was all the more surprising: Out of 6,927,416 domains and subdomains tested in Germany, a total of 41,252 websites are affected. In this blog post, we will initially focus only on the .git directory, but would like to point out that other versioning tools could also be vulnerable to this kind of misconfiguration.

What is .git?

Many web developers use the open source versioning tool “Git” to create and maintain their websites, which records all changes to files in the project. The tool builds up a history over time, the default location of which is the “.git” folder in the project’s root directory – a so-called “repository”. If this directory is unnecessarily present in the file system of your web presence, or is not at least properly backed up, its contents will be globally readable on the public Internet. Accessing the .git folder could possibly expose source code, server access keys, database passwords, hosted files, and other sensitive information.

Note: There are numerous tools that cybercriminals use to automatically search for open directories and automatically download their contents. Since “Git” is one of the universally used standard tools in software development, this very directory is a promising entry point for attackers. For this reason, we recommend closing this gap as soon as possible.

What makes a publicly accessible .git directory dangerous?

The versioning tool creates a folder called “.git” in the root directory of the project when rolling out content, where a full copy of the repository is stored. The problem with this is that most developers simply copy their repository and upload it along with the .git directory. If the path to the .git directory is then not protected, source codes, server access keys, database passwords, hosted files and other sensitive information can be exposed.

Caution: Since this vulnerability has been known for quite some time, corresponding tools can also be found to automatically scan and download these directories. Similar to other misconfigurations, the responsibility lies with the person who creates and maintains the website, which in many cases will be their own IT department or IT service provider. For this reason, affected parties should arrange for the vulnerability to be closed as soon as possible.

How can I find out if my website is affected?

To find out whether a domain is affected, you must first enter the domain in the address line and then enter the path to call up the .git directory. (Example: https://www.Meine-Domain.de/.git/HEAD). If an error message follows your request, the path in the .git directory does not exist or has been secured. If you receive a message that says, for example, “ref: refs/heads/master”, then you are affected by this security vulnerability and should configure the web server accordingly.

Note: We are also contacting affected parties in parallel with an automated email so that they can close the vulnerability as quickly as possible.

.git: How can I close the vulnerability in the directory?

Fortunately, closing this vulnerability is quite simple, because a few lines of code are usually enough to properly secure your web pages. Below we explain the procedure for removing the vulnerability for the most common web servers. Alternatively, you can remove the directory completely from your web server (only there!).

The suggested solutions refer to the current version of the respective web server and may not work with older versions. In case of doubt, it is always advisable to keep the components of your IT infrastructure as up-to-date as possible, as outdated products often no longer receive patches and bug fixes or offer less performance. We would appreciate it if you would take this situation as an opportunity to thoroughly check all your systems.

Deleting the directory

Basically, the guiding principle is: Only allow access to content that is really needed to provide your web offering. First, check whether the presence of the .git directory on the web server is really required for the website to work. In many cases, the directory won’t be needed. If you need to keep the folder, back up the directory as described below, depending on the server you are using.

APACHE 2.4.X

1. <DirectoryMatch “^/.*/\.git/”>

2.                  Require all denied

3. </DirectoryMatch>

Entering the code in httpd.conf prevents the .git directory from being called, thus protecting against unauthorized viewing. Note: Older versions of Apache should not use this (End-Of-Life 2018).

NGINX

1. location ~ /.git/ {

2.           deny all;

3.  }

To protect against unauthorized viewing of the .git directory, place the code in the server block of nginx.conf.

LIGHTTPD

For lighttpd, you must first enable the mod_access modules:

1. server.modules += ( “mod_access” )

You can then block the paths to the .git directory with the following code in lighttpd.conf:

1. $HTTP[“url”] =~ “^/\.git/” {

2. url.access-deny = (“”)

3. }

As an alternative, you can also place the .git directory outside the root directory using –git-dir and –work–tree.

MICROSOFT IIS

Using the following power shell commands, add the .git directory to request filtering.

1.Import-Module IISAdministration

2.$requestFiltering = Get-IISConfigSection -CommitPath ‘Default Web Site’ -SectionPath ‘system.webServer/security/requestFiltering’

3.$hiddenSegments = Get-IISConfigCollection -ConfigElement $requestFiltering -CollectionName ‘hiddenSegments’

4.New-IISConfigCollectionElement -ConfigCollection $hiddenSegments -ConfigAttribute @{ ‘segment’=’.git’ }

Then it should look like this in the web.config:

1. <configuration>

2.   <system.webServer>

3.     <security>

4.       <requestFiltering>

5.         <hiddenSegments>

6.           <add segment=”.git”/>

7.         </hiddenSegments>

8.       </requestFiltering>

9.     </security>

10.  </system.webServer>

11. </configuration>

.git directory security vulnerabilities – summary

The versioning tool Git is a popular tool used for developer collaboration and can be understood as a kind of “diary” of developers. It may happen that this .git directory is openly accessible and thus reveals source codes, server access keys, database passwords, hosted files and other sensitive information. Through our scans, we know that 41,252 websites in Germany are affected by this vulnerability. To close this vulnerability, you just need to configure your web server correctly. We have provided a short guide for you.

This article is adapted from the article by our colleagues at Internetwache.org, who covered this topic in detail back in 2015. We  were very surprised that this resource seems to have been rarely used over the last five years and have therefore revisited the topic. In order to make this issue a bit more understandable for everyone, we have compiled further incidents from the last five years for you here.

The solutions listed above are only examples of how to fix the vulnerability without any warranty. Make sure to always consider the overall configuration under which you operate your Internet presence and contact your IT system house if you have any questions.

Stay safe!

The DGC Team

Sources and further articles

Internetwache.org: Wie ungeschützte .git Repositorys die Sicherheit Ihrer Webseite gefährden – Eine Analyse der Alexa 1M (2015)

Golem.de: Riskante Git-Verzeichnisse (2015)

Threatpost.com: Open .Git Directories Leave 390K Websites Vulnerable (2018)

Follow us on

Subscribe to our newsletter on the topic of cyber security

With our Cyberletter you are always up to date - about vulnerability reports, current IT threat scenarios and other relevant news from the field of cyber security and data security.

With the registration I accept the handling of my personal data (§13 GDPR) and agree to the privacy policy.