Wotmap code

toujours dans la boite mail d’Axiom-Team. Je ne sais pas s’il est intéressant ou à considérer comme du spam. @Paidge ? @ ?

HOST: wotmap.duniter.org
UUID: 54767b86d9f

Hello there,
Our security scanner Repo Lookout has found a likely vulnerability on a host for which you are listed as the contact!
Repo Lookout is a non-commercial project to find inadvertently publicly exposed source code repositories.


The following URL was world-readable at the time of scanning (Jul 14 '23):

This allows (at least partial) access to the site’s underlying source code repository!

For instance, the last 5 code commits have been:

  • 83c53c80 : rebase (continue) (finish): returning to refs/heads/wot_json
  • 83c53c80 : rebase (continue): Update fa2rs
  • 8d0f1b0e : rebase (start): checkout master
  • bf555062 : checkout: moving from master to wot_json
  • 8d0f1b0e : clone: from Pierre-Jean CHANCELLIER / Wotmap · GitLab

Such access to the repository could give a malicious actor insight into the structure of the site (e.g. hidden functionality, critical bugs, or credentials to third-party services) and enable downstream attacks (e.g. data leakage, phishing, and extortion).

If this was not intended, we highly recommend to disable access to the source code repository!

Note that if the repository was intentionally made available, no action is required.

What is „Repo Lookout“?

Repo Lookout is a large-scale security scanner, with a single purpose: Find source code repositories that have been inadvertently exposed to the public and report them to the domain’s technical contact.

Visit www.repo-lookout.org to learn more about the project.


If you found this vulnerability report useful, please consider supporting the project by becoming a sponsor on Ko-fi. Thank you very much!
Best regards,
The „Repo Lookout“ Team

1 Like

Ce n’est pas un spam mais une alerte automatique. Comme le code source est libre, ce n’est pas grave qu’il soit exposé publiquement sur le web. Mais effectivement ce n’est pas très propre comme manière de déployer un site web, on pourrait améliorer ça pour la prochaine version de la wotmap.

1 Like

Donc j’archive le mail Geek ? L’info est passée :blush:

1 Like

J’avais eu une alerte de ce type pour un autre projet. Il est possible d’empêcher l’accès à ces fichiers en paramétrant le serveur web (NGINX)

1 Like