Yeah, but if a gitignore tells you where to look for, and it isn't even blocked by a WAF / rule, it makes an interesting target, esp. one of the largest companies out there.
You shouldn't even be able to execute settings.php
It's a good sign there might be an exploitable file upload vulnerability, if you can find an endpoint that uploads files to a directory that's served by Apache with the same configurarion as the directory of the executable settings.php
How is it a good sign of anything like that? File upload to disk is a completely unrelated concept that depends on how php is invoked by the web server.
Sure, I'm just saying it makes an executable file upload more likely. Because if a file like settings.php is executable by Apache, it implies that (at least in this directory) any .php file is executable by Apache, rather than a single whitelisted index.php or some wsgi setup.
So maybe the same configuration applies to a user upload directory. If you find a way to upload a .php file to a web directory on the same server, there is a possibility you can execute it - with higher success probability than if you did not know about settings.php being executable.
