bc1bb/OpenLongr
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages Wiki Activity Actions

.git directory not blocked in .htaccess, allowing source code enumeration #7

New issue
Open
opened 2026-05-14 21:15:12 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:15:12 +02:00
Copy link

Problem

The .htaccess file only sets Options -Indexes and DirectoryIndex index.php. It does not deny access to the .git/ directory:

Options -Indexes
DirectoryIndex index.php

Location

.htaccess

Risk

If the application is deployed with the .git directory present on the web root (common in git-pull deployments), attackers can directly access .git/config, .git/HEAD, .git/refs/heads/master, and packed objects. Using standard git-dumping techniques (e.g. git-dumper), an attacker can reconstruct the entire source code, including env.php (which contains database credentials and configuration), even if the file is in .gitignore and was committed by mistake.

Suggested fix direction

Add the following to .htaccess:

RedirectMatch 404 /\.git

Or in Apache directory config:

<DirectoryMatch "^/.*/\.git/">
    Require all denied
</DirectoryMatch>

Additionally, ensure .git is never placed under the web-accessible root in production.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem The `.htaccess` file only sets `Options -Indexes` and `DirectoryIndex index.php`. It does not deny access to the `.git/` directory: ``` Options -Indexes DirectoryIndex index.php ``` ## Location `.htaccess` ## Risk If the application is deployed with the `.git` directory present on the web root (common in git-pull deployments), attackers can directly access `.git/config`, `.git/HEAD`, `.git/refs/heads/master`, and packed objects. Using standard git-dumping techniques (e.g. `git-dumper`), an attacker can reconstruct the entire source code, including `env.php` (which contains database credentials and configuration), even if the file is in `.gitignore` and was committed by mistake. ## Suggested fix direction Add the following to `.htaccess`: ```apache RedirectMatch 404 /\.git ``` Or in Apache directory config: ```apache <DirectoryMatch "^/.*/\.git/"> Require all denied </DirectoryMatch> ``` Additionally, ensure `.git` is never placed under the web-accessible root in production. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLongr#7
No description provided.