<div dir="auto">Interesting, I hadn't heard of this project.<div dir="auto">We're good though.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">Repo Lookout Reporter</strong> <span dir="auto"><<a href="mailto:reporter@repo-lookout.org">reporter@repo-lookout.org</a>></span><br>Date: Sat, 29 Jul 2023, 03:07<br>Subject: Exposed Git repository on host "<a href="http://expo.survex.com">expo.survex.com</a>"!<br>To:  <<a href="mailto:philip.sargent@gmail.com">philip.sargent@gmail.com</a>><br></div><br><br><u></u><div><div><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><u></u><div><span>HOST</span><span>:</span>
<span><a href="http://expo.survex.com" target="_blank" rel="noreferrer">expo.survex.com</a></span></div><div><span>UUID</span><span>:</span>
<span>ca3e3cf75ae</span></div><hr></div><p>Hello there,<p><strong>Our security scanner <a href="https://www.repo-lookout.org/" target="_blank" rel="noreferrer">Repo Lookout</a> has found
a likely vulnerability on a host for which you are listed as the contact!</strong><p>Repo Lookout is a non-commercial project to find inadvertently publicly exposed source code
repositories.<h2>Details</h2><p>The following URL was world-readable at the time of scanning
(Jul 27 '23):<ul><li><u></u><u></u><u></u><u></u><u></u><a href="https://expo.survex.com/.git/logs/HEAD" target="_blank" rel="noreferrer">https://expo.survex.com/.git/logs/HEAD</a></li></ul><p><strong>This allows (at least partial) access to the site's underlying source code
repository!</strong><p>For instance, the last
5 code commits have been:<ul><li><code>6c92341e</code><span>:</span>
update pending list<li><code>c0b83a57</code><span>:</span>
1627 cave, instatiate 703-734<li><code>b7adbb59</code><span>:</span>
Capitalisation of filenames to UPPERCASE<li><code>0be4a557</code><span>:</span>
logbook entry<li><code>a9b40d4e</code><span>:</span>
Online edit of entrance 1623-2023-lc-01</li></li></li></li></li></ul><p>Such access to the repository could give a malicious actor insight into the structure of the
site (e.g. hidden functionality, critical bugs, or credentials to third-party services) and
enable downstream attacks (e.g. data leakage, phishing, and extortion).<p><strong>If this was not intended, we highly recommend to disable access to the source code
repository!</strong><p>Note that if the repository was intentionally made available, no action is required.<h2>What is „Repo Lookout“?</h2><p>Repo Lookout is a large-scale security scanner, with a single purpose: Find source code
repositories that have been inadvertently exposed to the public and report them to the domain’s
technical contact.<p>Visit <a href="https://www.repo-lookout.org/" target="_blank" rel="noreferrer">www.repo-lookout.org</a> to learn more about the
project.<h2>Sponsoring</h2><p>If you found this vulnerability report useful, please consider supporting the project by
becoming a sponsor on <a href="https://ko-fi.com/repolookout" target="_blank" rel="noreferrer">Ko-fi</a>. Thank you very much!<p><br>Best regards,<br>The „Repo Lookout“ Team</p></p></p></p></p></p></p></p></p></p></p></p></p></div><div><hr><div>Copyright 2022–23<br><a href="https://www.crissyfield.de/" target="_blank" rel="noreferrer">Crissy Field GmbH</a><br><br><a href="https://email.repo-lookout.org/u/eJwEwEESgyAMAMDXyK1MDKnRA4c-JUBUptowlP6_W-KOS8nujMzyJFJaM-GiTFpg4XVPEiRrAXI1ImAAxg0AeN58ksLMc9CEKVHYJoKuzR6X2dt-w1s_XI_trFdt_iv90M-YCI5b6uWz3W7ECV__AAAA__96oycl" target="_blank" rel="noreferrer">Click here to unsubscribe</a></div></div> <img width="1px" height="1px" alt="" src="https://email.repo-lookout.org/o/eJwEwNERgyAMANBp5K9cIAjmg2FIjMpVG4_a_fvWusW8itMaMsG8UERyR80kSktTzIk4NBLWjBlJyqZzaOJ6jRARSiQAKIE8t7WUElA5MiekKcHQ216n2dt-j7exu1Hvo5_99t82dv08U4L9av30Ytc_AAD__y-gKNA"></div>