Beware of Subversion leftovers in production websites

Posted on November 03, 2009 by Marcus.

Every once in a while, old and known problems are newly discovered. The same recently happened for the Subversion leftover issue.

If you checkout projects from a Subversion server, subversion creates a ".svn" directory that contains some data. Using this ".svn" folder, subversion is able to determine if local changes have been made, etc ...

In case, your webserver does not reject access to ".svn" folders, a malicious user will have access to listings of webserver directories even if you try to prevent that with the "DirectoryIndex" directive. In addition, a malicious user might get hold of unparsed script code in plain text depending on your webserver configuration.

There are at least two valid solutions:

  • Use dedicated command "svn export" for deployments and you'll receive a clean directory tree.
  • Reject access to ".svn" folders in your webserver configuration.

A valid entry in your Apache config file (httpd.conf/apache2.conf) would look like this:
#
# Prevents access on SVN specific folders
#
<Directory ~ ".*\.svn">
    Order allow,deny
    Deny from all
</Directory>

Permalink | Trackback link
Tags:  subversion
Views: 0
  •  
  • 0 Comment(s)
  •  

Your comment

back

Categories

  • advisory(9)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(23)

Tag cloud