87
votes
Accepted
Security implications of stolen .git/objects/ files
Should I worried about it?
Worried? No, of course not.
You should be absolutely terrified and have nightmares about this.
Having stolen .git directory means the attacker have the current and past ...
- 56.8k
14
votes
Security implications of stolen .git/objects/ files
Worried? Maybe. Is your source code filled with holes? Then yes. But quiet honesty, you should have been worried BEFORE your source code leaked.
People have this idea that they're safe because &...
- 21.7k
11
votes
Accepted
Is it so easy to hack mongodb database?
While this is true, that is true for many applications. If the attacker already has access to the file system it is far too late to worry about your database server. In unix-type operating systems, ...
- 392
10
votes
Why default settings are generally weaker than optimal ones?
One reason is that older algorithms are likely to have wider support. Such defaults probably ensure that the software runs on a wide variety of platforms out of the box. The software itself might also ...
- 293
7
votes
Are there any negative consequences if you change your ssh config for a host with `UpdateHostKeys no`?
From the documentation:
Additional hostkeys are only accepted if the key used to authenticate the host was already trusted or explicitly accepted by
the user.
This means it will not accept arbitrary ...
- 213k
5
votes
Committing encrypted passwords but not usernames
You should never be committing secrets to source code of any kind, encrypted or not. The username to authenticate into your server is probably a bit much in terms if sensitivity on its own, let alone ...
- 951
5
votes
Why use .ENV? What's wrong with storing secrets in a config.php file outside root directory?
To clarify, the security and flexibility are gained by putting secrets into environment variables.
.ENV is a convenience and, ideally, is not used in production. Many hosting services will handle ...
- 1,588
5
votes
Accepted
Sharing the UUIDs of my Linux partitions
I am assuming you are asking whether or not a partition UUID is sensitive information.
A UUID is a random value assigned to the partition of a drive. It is used to reference the drive without needing ...
- 67.8k
5
votes
Accepted
Chicken-and-egg-problem: What's the intended secure way of installing anti-virus software with online installers?
Disclosure: I work for an anti-virus vendor.
First, the answer. Most vendors which I'm familiar with usually offer "full" or "offline" installers of their products. Typically they are usually more ...
- 3,544
5
votes
How to properly secure an ActiveMQ instance, and what are all of the different files for?
At the time I am answering this, this question is 2 years old, so my answer might include things that have changed from the time this was posted. Ill answer the second question first:
credentials....
- 51
5
votes
Accepted
Making sure that SSH key is NOT used anywhere but specific hosts
Yes, this configuration uses ~/.ssh/work_key for workhost.example.com only.
From ssh_config(5):
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity files configured in ...
- 19.7k
5
votes
Accepted
putting database mongod.conf under $HOME/web-server/. instead of /etc/
The security depends on the actual permissions of the file.
On my system, the file is owned by root with rw-r--r-- permissions, so the configuration can be read by anybody, but nobody other than root –...
- 38.2k
4
votes
What are the main advantages of using LibreSSL versus OpenSSL
While the OpenSSL project was busy missing the OpenSSL 3 release date by several years, firing multiple project managers in the process, the LibreSSL developers have started to replace large swaths of ...
- 141
4
votes
Security implications of stolen .git/objects/ files
No, you should not be terribly worried, unless you did horrible no-nos like putting credentials in your source tree. So the party who accessed these files saw part of your source history. Big deal. ...
4
votes
Accepted
Changing $_SERVER['REMOTE_ADDR'] remotely
The $_SERVER['REMOTE_ADDR'] can be trusted. This is the source address of the TCP connection to the server, it is not taken from headers that are sent by the client as is the case with some of the ...
- 25k
3
votes
Accepted
Why would a hacker bother with stealing your database password?
But if somebody can steal it from those places, then s/he can already inject code into your system
This premise is wrong. Especially for a config file, there are multiple ways the password could be ...
- 65.9k
3
votes
How do I protect the Azure Client ID and Client Secret in HashiCorp Vaults with AKV Auto-Unseal?
Reading your post, I think I understand your ask. You've already taken a great step of securing your credentials within a vault, but now you're concerned that the API credentials that allow you to ...
- 1,461
3
votes
Accepted
Is allow_url_fopen always a security risk?
It is a security risk in the sense, that it is incredibly tricky to get right. A small mistake you may have no idea you made could compromise you. That being said, if you do actually get it correct, ...
- 7,878
2
votes
Accepted
Do HP ProCurve 1810G Config files have password hashes or other sensitive info?
The password is very likely somewhere in that binary blob, so yes, you should keep the backup file safe.
A while back I stumbled across http://www.happyhacking.org/Happy_Hacking/Blog/Entries/2010/3/...
- 516
2
votes
Accepted
SSH to IP instead of to fully qualified hostname: does this reduce MITM risk?
Generally, using the VPS company's API is a good idea, given its proper reliability and also enough resources to implement and maintain that on your side. After all, the SSH key management ...
- 3,506
2
votes
Permissions for configuration file for program run as root that must be modifiable by SFTP
Assuming the only member of the sftp-user group is sftp-user, all of the permissions you have listed would be equivalent. The only users that would be able to read or write the file would be sftp-...
- 16.2k
2
votes
Accepted
metasploit openvas plugin not connecting to OpenVAS9-Manager
In the file /etc/init.d/openvas-manager, which manages the service, you will see that
it includes a file with parameters
and then uses the variables from that file as arguments.
# Read configuration ...
- 392
2
votes
Committing encrypted passwords but not usernames
If you are talking about the distribution of configuration secrets, I would argue that the password is the secret, not the username or a comment which describes, what it can be used for.
It's true, ...
2
votes
Is it correct to assign a CVSS to a misconfiguration?
As noted in the comments, your HTTP example would not be a misconfiguration. But, certain configs can result in or amplify vulnerabilities. For example, if a endpoint on a web app does not enforce ...
- 1,437
2
votes
Accepted
Configuring Argon2id for Multiple Threads
There is no perfect solution. There is always a trade off between security, price and user experience. If you want to get both higher security and acceptable response times, consider using more ...
- 12.7k
2
votes
Assigning static IP address other than 127.0.0.0/8 to loopback interface
I see a number of answers here about the use of binding IP addresses to loopback interfaces. To be clear, this is not uncommon. It's actually something that is done quite often, for example to create ...
- 6,998
2
votes
Accepted
Can a router be configured from outside the local network?
According to the manual, if Remote Assistance is enabled, than outsiders can access your router management via the external IP address:
So, it is possible, but is disabled by default, and appears to ...
- 73.7k
2
votes
How to make Squid Proxy undetectable by ip-check.net?
The URL you've used seems to determine if a client uses a proxy not (only) based on HTTP headers but also where the request comes from.
To check I've used ssh -Dport dst, which creates a SOCKS proxy ...
- 213k
1
vote
Why modern php web application requires to specify the application's url?
speaking specifically for moodle, it's used to allow changing the path dynamically based on config. This lets you host a site at, ex domain.com/moodleroot instead of just domain.com, allowing one ...
- 2,693
Only top scored, non community-wiki answers of a minimum length are eligible