[Expo-tech] Fwd: Exposed Git repository on host "expo.survex.com"!

Philip Sargent (Gmail) philip.sargent at gmail.com
Sat Jul 29 07:28:50 BST 2023 

Interesting, I hadn't heard of this project.
We're good though.

---------- Forwarded message ---------
From: Repo Lookout Reporter <reporter at repo-lookout.org>
Date: Sat, 29 Jul 2023, 03:07
Subject: Exposed Git repository on host "expo.survex.com"!
To: <philip.sargent at gmail.com>


HOST: expo.survex.com
UUID: ca3e3cf75ae
------------------------------

Hello there,

*Our security scanner Repo Lookout <https://www.repo-lookout.org/> has
found a likely vulnerability on a host for which you are listed as the
contact!*

Repo Lookout is a non-commercial project to find inadvertently publicly
exposed source code repositories.Details

The following URL was world-readable at the time of scanning (Jul 27 '23):

   - https://expo.survex.com/.git/logs/HEAD

*This allows (at least partial) access to the site's underlying source code
repository!*

For instance, the last 5 code commits have been:

   - 6c92341e: update pending list
   - c0b83a57: 1627 cave, instatiate 703-734
   - b7adbb59: Capitalisation of filenames to UPPERCASE
   - 0be4a557: logbook entry
   - a9b40d4e: Online edit of entrance 1623-2023-lc-01

Such access to the repository could give a malicious actor insight into the
structure of the site (e.g. hidden functionality, critical bugs, or
credentials to third-party services) and enable downstream attacks (e.g.
data leakage, phishing, and extortion).

*If this was not intended, we highly recommend to disable access to the
source code repository!*

Note that if the repository was intentionally made available, no action is
required.What is „Repo Lookout“?

Repo Lookout is a large-scale security scanner, with a single purpose: Find
source code repositories that have been inadvertently exposed to the public
and report them to the domain’s technical contact.

Visit www.repo-lookout.org to learn more about the project.Sponsoring

If you found this vulnerability report useful, please consider supporting
the project by becoming a sponsor on Ko-fi <https://ko-fi.com/repolookout>.
Thank you very much!


Best regards,
The „Repo Lookout“ Team
------------------------------
Copyright 2022–23
Crissy Field GmbH <https://www.crissyfield.de/>

Click here to unsubscribe
<https://email.repo-lookout.org/u/eJwEwEESgyAMAMDXyK1MDKnRA4c-JUBUptowlP6_W-KOS8nujMzyJFJaM-GiTFpg4XVPEiRrAXI1ImAAxg0AeN58ksLMc9CEKVHYJoKuzR6X2dt-w1s_XI_trFdt_iv90M-YCI5b6uWz3W7ECV__AAAA__96oycl>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wookware.org/pipermail/expo-tech/attachments/20230729/6dbf5293/attachment.htm>

More information about the Expo-tech mailing list