[pydotorg-www] [Webmaster] Mercurial repository found - CRITICAL

Steve Holden steve at holdenweb.com
Wed Mar 25 08:49:01 EDT 2020

Thanks Piyush,

I have forwarded this email to our web development team.

I rather doubt the information is up to date, since I don't think Mercurial
is used to maintain the source for the site. You will notice that the most
recent referenced date in the .hg directory is around eight years go.

Kind regards,

On Wed, Mar 25, 2020 at 11:21 AM Piyush Patil <piyushpatil666 at gmail.com>

> Hello Python Team,
> I have found vulnerability in your website. I hope it will help you to be
> more secure.
> Mercurial metadata directory (.hg) was found in this folder. An attacker
> can extract sensitive information by requesting the hidden metadata
> directory that version control tool Mercurial creates. The metadata
> directories are used for development purposes to keep track of development
> changes to a set of source code before it is committed back to a central
> repository (and vice-versa). When code is rolled to a live server from a
> repository, it is supposed to be done as an export rather than as a local
> working copy, and hence this problem.
> The vulnerability affects https://wiki.python.org/wiki/europython/
> *POC *- https://wiki.python.org/wiki/europython/.hg/requires
> [image: image.png]
> *The impact of this vulnerability*These files may expose sensitive
> information that may help an malicious user to prepare more advanced
> attacks.
> *How to fix this vulnerability*Remove these files from production systems
> or restrict access to the .hg directory. To deny access to all the .hg
> folders you need to add the following lines in the appropriate context
> (either global config, or vhost/directory, or from .htaccess):
> <Directory ~ "\.hg">
> Order allow,deny
> Deny from all
> </Directory>
> Please consider me adding to HOF as a guster that you guys care about
> whitehat people.
> Thank you
> _______________________________________________
> Webmaster mailing list
> Webmaster at python.org
> https://mail.python.org/mailman/listinfo/webmaster
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20200325/43e5986a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 16495 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20200325/43e5986a/attachment-0001.png>

More information about the pydotorg-www mailing list