ODINT
← Back to Cyber Tours

TCTelevision Git Exposure

tctelevision.com - Exposed .git Repository

Summary

This annex documents a publicly exposed .git repository and the operational details it reveals about the affected deployment.

Exposed .git/config

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = https://[email protected]/nicolaspalautc/tcwordpress.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[pull]
    rebase = false

What This Reveals

Finding Value
Bitbucket repo https://[email protected]/nicolaspalautc/tcwordpress.git
Developer username
Dev server path
Database name
CDN tctelevision.nyc3.digitaloceanspaces.com (DigitalOcean Spaces)
Google Analytics
Google DFP network
Marfeel SDK Account ID 10180
Dailymotion player Player x9rx1, live stream x7wijay

WordPress Stack

  • Theme: davenport (with child theme davenport-child)
  • Plugins: wp-optimize, Yoast SEO, health-check, Kirki, MediaCloud (S3 offload)
  • Server: nginx/1.14.1
  • DB table: tcwordpress.wp_as3cf_items (WP Offload Media / S3 connector)

wp-config.php~ Backup in Git Tree

A backup of wp-config.php exists as a git blob:

  • Blob hash: d70f0cb97ae9ce77d6b6c544a4d619160c802920
  • This file would contain full database credentials (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME)
  • The blob was not fully recoverable from the partial git dump (server blocks direct object access)

debug.log (20 MB)

Recovered from /.git dump:

  • Size: 20,449,885 bytes (62,327 lines)
  • Date range: June 26, 2025 — November 17, 2025
  • 29 server paths exposed (all under /var/www/dev.tctelevision.com/)
  • Error breakdown: 35,460 PHP Warnings, 23,662 PHP Notices, 3,138 PHP Deprecated
  • Notable paths:
    • /var/www/dev.tctelevision.com/wp-content/themes/davenport/functions.php
    • /var/www/dev.tctelevision.com/wp-content/themes/davenport/page-envivo.php (live TV page)
    • /var/www/dev.tctelevision.com/wp-content/plugins/wp-optimize/
    • /var/www/dev.tctelevision.com/wp-admin/customize.php

.gitignore (Recovered)

Confirms sensitive files are excluded from the repo but present on server:

  • wp-config.php (database credentials)
  • .env (environment variables)
  • wp-content/cache/ (wp-super-cache)
  • wp-content/uploads/ (media files)

Impact

TC Televisión is a state-owned television channel (seized from Isaías Group in 2008). This exposure reveals:

  1. Full source control infrastructure (Bitbucket private repo)
  2. Developer identity and credentials flow
  3. Two server environments (production + dev) on the same infrastructure
  4. DigitalOcean Spaces CDN for media hosting
  5. A wp-config.php~ backup blob that, if fully recovered, would yield database credentials

Bitbucket Repo Status

The Bitbucket repository (nicolaspalautc/tcwordpress) returns HTTP 404 — it is private. The username NicolaspalauTC is embedded in the remote URL, confirming this is a personal Bitbucket account managing state media infrastructure.

Files Saved

  • DUMP/RAW/tctelevision-git/ — 736 files, 24.6 MB
    • .git/ directory (partial)
    • .gitignore
    • wp-content/debug.log (20 MB)
    • 4 git commits recovered (Feb 19-27, 2026)

© 2026 Observatory for Digital Infrastructure and Network Transparency. Independent nonprofit.

Home | Privacy | Terms