Denying .git sub directory access

Status
Not open for further replies.
L

lethol

New Member
Apr 19, 2018
2
0
1
48
Hi all, I got an email today from what appears to be an ethical hacker pointing out to public available information that could be used for vulnerability discovery and may be a good idea to limit access to it.

Apparently the current nginx rule to deny acccess to .git directory does not cover all files inside the dir or any of its subdirectories. I checked on the latest git release and rules look the same as our old installation so I'm guessing it still applies.

location ~ /\.git { deny all; }

Sample of available files and folders on our server
https://url/.git/FETCH_HEAD https://url/.git/HEAD https://url/.git/config https://url/.git/logs/HEAD https://url/.git/logs/refs/remotes/origin/master https://url/.git/refs/remotes/origin/master https://url/.gitlab-ci.yml https://url/.git/index

Could someone verify this is the case for their installation as well with the latest version?

Thanks!
 
M

markjcrane

Active Member
Staff member
Jul 22, 2018
450
162
43
49
This was added some time ago. I've provided a link to the file and looked at the history to find the dates when they were added.

Ubuntu Install - nginx config file fusionpbx (Committed on Jun 3, 2019)
- https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/ubuntu/resources/nginx/fusionpbx

Debian Install - nginx config file fusionpbx (Committed on Jan 7, 2020)
- https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/nginx/fusionpbx

FreeBSD Install - nginx config file fusionpbx.conf (Committed on Jan 7, 2020)
- https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/freebsd/resources/nginx/fusionpbx.conf

Centos Install - nginx config file fusionpbx (Committed on Sep 30, 2021)
- https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/centos/resources/nginx/fusionpbx

Devuan install - nginx config file fusionpbx (Committed on Apr 18, 2022)
- https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/devuan/resources/nginx/fusionpbx

People that installed their servers before these dates should update their nginx fusionpbx config files.
 
L

lethol

New Member
Apr 19, 2018
2
0
1
48
Hi Mark, thanks for your reply. I do have the location deny all rule in place in my config.

The point I was trying to make is that it will not deny access to specific individual files as the samples I provided.

It may be some other rule in the config that I’m missing but I’m failing to find it.

Thanks again for the feedback.
 
Status
Not open for further replies.
Top Bottom