We write stuff

Many years ago, I appeared amongst the pages of the erstwhile British music publication, the NME. I had attended a gig by The Rollins Band, as fronted by the ex-lead singer of the American punk band Black Flag, Henry Rollins, who at the time loathed stage divers. Because I was friends with idiots, I was flung on stage, and was described in print as exhibiting “equal parts of bravado and stupidity”. In this spirit (which resulted in my broken nose), this post has been written.

Recently on an engagement we came across a rather interesting misconfiguration on a clients website. Somewhere during their deployment process, their web developer had git-cloned the website's source from their internal git repository, onto the webserver itself. This seems like a reasonable thing to do, for a web developer, as it allowed s/he to immediately deploy their latest code with minimal effort of shuffling around files. What they were unaware of, is it exposed their site to attack, as they forgot to either delete or protect the ".git" directory created during the git-clone process, which contained a full copy of their sites source code, including configuration data (think: database credentials...).

Over six months ago, the team at Xiphos Research found a critical vulnerability with the ManageEngine Asset Explorer Agent produced by Zoho Corporation. Since reporting the vulnerability (and providing technical assistance and proof of concept code) Zoho have seemingly steadfastly ignored the vulnerability discovered and issued a number of product releases and updates that have left it unaddressed. Owing to the absence of vendor response (and seemingly understanding) we have taken the decision to publish details in the hope that users of Zoho ManageEngine can be aware of the threat and mitigate against it.