Think Before You Commit

No, this is not some sort of relationship advice post loses 50% of the readers.

A while ago I did a Github pull of around 500 WordPress plugins to see what I could find. There is heaps in there, but it takes quite some time to work through it all. One of the first things I noticed (again) – other people have been noticing this too – is that people really don’t look at the files they are committing. I felt the need to quickly give some examples of stuff that people commit and remind you why you should be careful with running ‘svn add ’ or ‘git add ’.

Sublime ftp details

I was looking at a plugin and found a file called ‘sftp-config.json’. Apparently this is a file used by Sublime. For those still wondering, the filename pretty much says what this file contains.

Still curious? Have a look at this:

https://www.google.com.au/search?q=filetype%3Ajson+sftp-config&oq=filetype%3Ajson+sftp-config

Yep, thats right. Passwords (and/or usernames) everywhere! This information is very valuable to an attacker. Even just the username can narrow down an attack significantly.

Private keys

I’ll just leave this link here:

https://www.google.com.au/search?q=site%3Agithub.com+filetype%3Apem+“PRIVATE”&oq=site%3Agithub.com+filetype%3Apem+“PRIVATE”

Private keys committed to a public repository?

.bash_history files and more

An other one which I think is quite disturbing is the following:

https://www.google.com.au/search?q=site%3Agithub.com+.bash_history+“mysql”+“-p+”&oq=site%3Agithub.com+.bash_history+“mysql”+“-p+”

As you can see the query searches for .bash_history files with the command “mysql” in it and the “-p ” parameter (used for passwords).

Again, passwords but also other quite sensitive system information everywhere!

Also (if you have the time) do read the README files in those repositories. Some of these repos are used to deploy other systems. How useful can this be?

Wrapping up

It’s important to note that not all these examples live on Github. There are countless examples on the web, not just limited to repositories. People put very sensitive information in public directories, on webserver and publicly accessible FTP servers that allow anonymous FTP access.

I’m not saying this is new. To most of you this is old news. Hell, most of you probably use these searches during pentests. My point is, this is a well known problem but it is still happening.

The only think I can say is, please check your (and your friends, colleagues and clients) public (and private) repositories (frequently). This is a simple and easy mistake to make. Luckily it’s a mistake that is easy to point out, easy to explain and easy to fix.

Ruben.

Comments