acme-dental.com.au

We checked the public footprint for acme-dental.com.au across the website, the mail setup, and the DNS edges. One critical item needs same-day attention: an exposed .git directory on the main site. Three high-impact items relate to a stale staging subdomain, plain-text patient mail in transit, and an outdated front-end library. Two findings from last month are now fixed.

• Critical

  Exposed .git directory

  www.acme-dental.com.au·Found 11 May 2026 · new

  Anyone can clone your application source. Rotate any credentials in the repo and remove the .git tree from the document root.

  Show evidence and fix

  What we saw

  The directory /.git/ is served by the public web root and indexes objects, refs, and config. With those an attacker can reconstruct the full repository history, including any secrets that were ever committed (API keys, database passwords, internal URLs).

  Evidence

  GET https://www.acme-dental.com.au/.git/config
  HTTP/1.1 200 OK
  Content-Type: text/plain
  
  [core]
    repositoryformatversion = 0
    filemode = true

  How to fix it

  Remove the .git directory from the deployed web root. Deployment scripts should never copy it. Block requests matching /.git/ at Nginx, Apache, or Cloudflare and return 404. Rotate any secret that has ever been committed to the repository.

  Re-scan this assetSend to IT
• High

  Dangling CNAME on staging subdomain

  staging.acme-dental.com.au·Found 6 May 2026 · ongoing

  Points at a deleted Heroku app. Anyone can register that app name and serve content under your subdomain.

  Show evidence and fix

  What we saw

  staging.acme-dental.com.au is a CNAME to acme-dental-staging.herokuapp.com, but the Heroku app has been deleted. The CNAME is still valid DNS, so anyone who registers acme-dental-staging on Heroku can publish content that browsers load under your subdomain and your TLS certificate scope.

  Evidence

  dig +short staging.acme-dental.com.au CNAME
  acme-dental-staging.herokuapp.com.
  
  curl -I https://acme-dental-staging.herokuapp.com
  HTTP/1.1 404 Not Found
  Server: Heroku

  How to fix it

  Delete the CNAME record at the DNS provider, or repoint it to a controlled host. If staging is still in use, recreate the Heroku app under the same name and lock it down behind basic auth or Cloudflare Access.

  Re-scan this assetSend to IT
• High

  STARTTLS disabled on inbound mail server

  mail.acme-dental.com.au·Found 4 May 2026 · ongoing

  Patient appointment confirmations are arriving in plain text. Enable STARTTLS in the mail provider settings.

  Show evidence and fix

  What we saw

  mail.acme-dental.com.au advertises SMTP on port 25 but does not offer STARTTLS. Inbound mail (appointment confirmations, intake forms, partner correspondence) is delivered unencrypted across the public internet and can be read by any party on the path.

  Evidence

  $ openssl s_client -starttls smtp -connect mail.acme-dental.com.au:25
  connect:errno=0
  250-mail.acme-dental.com.au Hello
  250 8BITMIME
  # no STLS offered

  How to fix it

  Enable STARTTLS in the mail provider control panel and bind a valid certificate (the existing acme-dental.com.au certificate covers mail.* via its SAN). Add an MTA-STS policy at https://mta-sts.acme-dental.com.au/.well-known/mta-sts.txt to enforce TLS for inbound mail.

  Re-scan this assetSend to IT
• Low

  Server banner reveals Apache 2.4.46

  www.acme-dental.com.au·Found 4 May 2026 · ongoing

  Cosmetic. Hides one easy pivot for an attacker mapping your stack.

  Show evidence and fix

  What we saw

  The Server response header on www.acme-dental.com.au discloses Apache 2.4.46. That tells anyone scanning your stack exactly which version-specific exploits to try first. Hiding the banner does not patch anything but removes one cheap reconnaissance signal.

  Evidence

  curl -sI https://www.acme-dental.com.au | grep -i server
  Server: Apache/2.4.46 (Ubuntu)

  How to fix it

  Set ServerTokens Prod in the Apache config and reload. If the site is behind Cloudflare, also enable the Server header obfuscation in the Network settings.

  Re-scan this assetSend to IT
• Low

  Cookies missing SameSite attribute

  www.acme-dental.com.au·Found 4 May 2026 · ongoing

  Lowers the bar for cross-site request forgery on your admin pages.

  Show evidence and fix

  What we saw

  The PHPSESSID and wp_logged_in cookies are set without a SameSite attribute. Without SameSite=Lax or Strict, another site can trigger authenticated requests against /wp-admin from a logged-in browser, which is the standard CSRF foothold.

  Evidence

  Set-Cookie: PHPSESSID=abc123; path=/
  Set-Cookie: wp_logged_in_*=1; path=/; HttpOnly; Secure

  How to fix it

  Set SameSite=Lax on session and login cookies. In WordPress this can be done via a small mu-plugin or via the Cloudflare HTTP Response Header Transform.

  Re-scan this assetSend to IT
• Info

  Cloudflare in front of origin

  www.acme-dental.com.au·Found 4 May 2026 · ongoing

  Not a finding; logged for cadence and evidence.

  Show evidence and fix

  What we saw

  www.acme-dental.com.au resolves to Cloudflare IPs and serves a Cloudflare-issued certificate. That is good defensive posture. We log it here so future scans can detect a sudden change (for example if the site is moved off Cloudflare without rolling the certificate).

  Evidence

  dig +short www.acme-dental.com.au
  104.21.x.x
  172.67.x.x
  Server: cloudflare

  How to fix it

  No action. Keep the origin IPs out of public DNS records so the Cloudflare proxy cannot be bypassed.

  Re-scan this assetSend to IT