search

MikeBarnlund / SpiralDesign

1 stars 0 forks source link

Possible Vulnerability #1

Open HKResearch opened 10 years ago

HKResearch commented 10 years ago

Hello,

We are conducting research on the unintended exposure of secrets in GitHub repositories. In a recent scan we conducted of GitHub repositories, our tool detected that one of your repositories appears to expose a secret, and we've confirmed this possibility by manual inspection. The details are below:

# Branch: WP331_Update
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: WP331_Update
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: WP331_Update
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: buccaneer
## File: SpiralDesign/website/wp-config.php
## Line: 24

# Branch: buccaneer
## File: SpiralDesign/website/wp-config.php
## Line: 31

# Branch: buccaneer
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: delivery
## File: SpiralDesign/website/wp-config.php
## Line: 23

# Branch: delivery
## File: SpiralDesign/website/wp-config.php
## Line: 29

# Branch: delivery
## File: SpiralDesign/website/wp-config.php
## Line: 26

# Branch: iandi
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: iandi
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: iandi
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: la_base
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: la_base
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: la_base
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: la_portfolio
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: la_portfolio
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: la_portfolio
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: lai
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: lai
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: lai
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: lap
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: lap
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: lap
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: lovecalgary
## File: SpiralDesign/website/wp-config.php
## Line: 23

# Branch: lovecalgary
## File: SpiralDesign/website/wp-config.php
## Line: 29

# Branch: lovecalgary
## File: SpiralDesign/website/wp-config.php
## Line: 26

# Branch: master
## File: SpiralDesign/website/wp-config.php
## Line: 24

# Branch: master
## File: SpiralDesign/website/wp-config.php
## Line: 30

# Branch: master
## File: SpiralDesign/website/wp-config.php
## Line: 27

# Branch: portfolio
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: portfolio
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: portfolio
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: product
## File: SpiralDesign/website/wp-config.php
## Line: 24

# Branch: product
## File: SpiralDesign/website/wp-config.php
## Line: 30

# Branch: product
## File: SpiralDesign/website/wp-config.php
## Line: 27

# Branch: qs
## File: SpiralDesign/website/wp-config.php
## Line: 24

# Branch: qs
## File: SpiralDesign/website/wp-config.php
## Line: 31

# Branch: qs
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: slideshow_plugin
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: slideshow_plugin
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: slideshow_plugin
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: slutshaming
## File: SpiralDesign/website/wp-config.php
## Line: 24

# Branch: slutshaming
## File: SpiralDesign/website/wp-config.php
## Line: 31

# Branch: slutshaming
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: spiraldesign.ca
## File: SpiralDesign/website/wp-config.php
## Line: 24

# Branch: spiraldesign.ca
## File: SpiralDesign/website/wp-config.php
## Line: 31

# Branch: spiraldesign.ca
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: tcd
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: tcd
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: tcd
## File: SpiralDesign/website/wp-config.php
## Line: 25

# Branch: vv_base
## File: SpiralDesign/website/wp-config.php
## Line: 22

# Branch: vv_base
## File: SpiralDesign/website/wp-config.php
## Line: 28

# Branch: vv_base
## File: SpiralDesign/website/wp-config.php
## Line: 25

If this information is indeed intended to be secret, we would recommend that you remove this file from the repository (using .gitignore) and generate new passwords for the vulnerable accounts. We would much appreciate a response, letting us know if we are mistaken in concluding that this is a secret, or if you made changes as a result of this report.

Thank you.

MikeBarnlund commented 10 years ago

Hi,

Thanks for the heads up. These files do, in fact, contain passwords, but only for private development environments (passwords are changed when deployed to production), so I did not make a change as a result of the report.

Thanks,

Mike

From: HKResearch notifications@github.com Reply: MikeBarnlund/SpiralDesign reply@reply.github.com Date: July 3, 2014 at 11:04:02 AM To: MikeBarnlund/SpiralDesign spiraldesign@noreply.github.com Subject:  [SpiralDesign] Possible Vulnerability (#1)

Hello,

We are conducting research on the unintended exposure of secrets in GitHub repositories. In a recent scan we conducted of GitHub repositories, our tool detected that one of your repositories appears to expose a secret, and we've confirmed this possibility by manual inspection. The details are below:

Branch: WP331_Update

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: WP331_Update

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: WP331_Update

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: buccaneer

File: SpiralDesign/website/wp-config.php

Line: 24

Branch: buccaneer

File: SpiralDesign/website/wp-config.php

Line: 31

Branch: buccaneer

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: delivery

File: SpiralDesign/website/wp-config.php

Line: 23

Branch: delivery

File: SpiralDesign/website/wp-config.php

Line: 29

Branch: delivery

File: SpiralDesign/website/wp-config.php

Line: 26

Branch: iandi

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: iandi

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: iandi

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: la_base

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: la_base

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: la_base

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: la_portfolio

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: la_portfolio

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: la_portfolio

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: lai

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: lai

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: lai

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: lap

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: lap

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: lap

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: lovecalgary

File: SpiralDesign/website/wp-config.php

Line: 23

Branch: lovecalgary

File: SpiralDesign/website/wp-config.php

Line: 29

Branch: lovecalgary

File: SpiralDesign/website/wp-config.php

Line: 26

Branch: master

File: SpiralDesign/website/wp-config.php

Line: 24

Branch: master

File: SpiralDesign/website/wp-config.php

Line: 30

Branch: master

File: SpiralDesign/website/wp-config.php

Line: 27

Branch: portfolio

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: portfolio

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: portfolio

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: product

File: SpiralDesign/website/wp-config.php

Line: 24

Branch: product

File: SpiralDesign/website/wp-config.php

Line: 30

Branch: product

File: SpiralDesign/website/wp-config.php

Line: 27

Branch: qs

File: SpiralDesign/website/wp-config.php

Line: 24

Branch: qs

File: SpiralDesign/website/wp-config.php

Line: 31

Branch: qs

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: slideshow_plugin

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: slideshow_plugin

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: slideshow_plugin

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: slutshaming

File: SpiralDesign/website/wp-config.php

Line: 24

Branch: slutshaming

File: SpiralDesign/website/wp-config.php

Line: 31

Branch: slutshaming

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: spiraldesign.ca

File: SpiralDesign/website/wp-config.php

Line: 24

Branch: spiraldesign.ca

File: SpiralDesign/website/wp-config.php

Line: 31

Branch: spiraldesign.ca

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: tcd

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: tcd

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: tcd

File: SpiralDesign/website/wp-config.php

Line: 25

Branch: vv_base

File: SpiralDesign/website/wp-config.php

Line: 22

Branch: vv_base

File: SpiralDesign/website/wp-config.php

Line: 28

Branch: vv_base

File: SpiralDesign/website/wp-config.php

Line: 25

If this information is indeed intended to be secret, we would recommend that you remove this file from the repository (using .gitignore) and generate new passwords for the vulnerable accounts. We would much appreciate a response, letting us know if we are mistaken in concluding that this is a secret, or if you made changes as a result of this report.

Thank you.

— Reply to this email directly or view it on GitHub.