Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2025-00052
- 發信 Vendor: 對稱資訊股份有限公司
- Title: 面試趣 .git repository Information Leakage
- Introduction: .git repository leakage
處理狀態
目前狀態
-
新提交
-
已審核
-
已通報
-
已修補
-
未複測
-
公開
處理歷程
- 2025/01/09 15:35:54 : 新提交 (由 dx0xff 更新此狀態)
- 2025/01/15 15:46:05 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2025/01/17 13:13:29 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2025/01/17 13:13:29 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2025/02/03 11:08:54 : 已修補 (由 組織帳號 更新此狀態)
- 2025/02/11 03:03:25 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2025-00052
- 通報者:dx0xfc (dx0xff)
- 風險:中
- 類型:資訊洩漏 (Information Leakage)
參考資料
OWASP 漏洞說明 (Top 10 2017 - A3 Sensitive Data Exposure)
https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
CWE-200 漏洞說明
https://cwe.mitre.org/data/definitions/200.html
相關網址
敘述
0. Summary
While browsing, the research discovered a .git endpoint is leaked from one of subdomains https[:]//search.interview.tw.
The repository is available to download via many OSS, such as git-dumper.
1. Proof of Concept (PoC)
attempt to fetch the repository with git-dumper - success
run git log, which can see the logs of commits
IMG#2
We can see the file inside as well.
IMG#3
2. Evaluation
The researcher marks the severity as Medium based on:
- The repository is valuable for adversaries to find credentials (e.g., passwords, keys). Nonetheless, the researcher uses
gitleaksto quickly scan and finds nothing. - The repository is valuable for adversaries to find possible vulnerabilities (e.g., XSS, SQLi).
Disclaimar
I am an independent cybersecurity researcher dedicated to identifying and reporting security vulnerabilities to improve the security of systems and services. My activities may include testing systems without explicit prior authorization, but my intent is purely ethical and aimed at enhancing security.
I adhere to responsible disclosure practices, ensuring that any vulnerabilities discovered are reported directly to the affected organizations, allowing them to address issues promptly and effectively. I do not engage in activities intended to exploit or harm systems or data, and I do not make guarantees regarding the accuracy or completeness of my findings.
By conducting these activities in good faith, I aim to assist organizations in strengthening their cybersecurity defenses. I am committed to collaborating with organizations to ensure that vulnerabilities are resolved without risk to their operations and to facilitate a constructive dialogue to address security concerns.
This disclaimer clarifies the ethical nature of my security research activities and my dedication to improving cybersecurity. Organizations are encouraged to contact me to discuss any findings and explore potential collaborations to enhance their security posture. Please consult a legal professional to ensure this disclaimer aligns with applicable laws and regulations.
Background of the Activity
- Non-intrusive Methods: I employ non-intrusive testing methods to minimize any potential impact on system performance and ensure that regular operations are not disrupted. All the information is found on the World Wide Web and the public Internet via OSINT.
- No System Alteration: I do not make any changes or alterations to systems during testing, ensuring that the integrity and functionality of the systems remain intact.
- Non-intrusive Methods: I employ non-intrusive testing methods to minimize any potential impact on system performance and ensure that regular operations are not disrupted.
- Confidentiality: Any information collected during the assessment is treated with the highest level of confidentiality and shared only with authorized personnel. None of the data or information is unrevealed.
- Timely Reporting: All findings are reported promptly to the relevant stakeholders, enabling swift action to address any security vulnerabilities. I will stop further testing to prevent unnecessary data gathering when a possible exploit is found with sufficient evidence.
Glad to perform a re-test and feel free to ping me on the platform. Cheers.