[ic] Risks of websites served from Subversion or CVS checkouts
Jon Jensen
jon at endpoint.com
Wed Aug 20 00:19:17 UTC 2008
Interchange users,
At the talk "Rails Security" by Jonathan Weiss at LinuxTag 2008, he
mentioned (among other things) a possible security problem for sites being
run out of a Subversion (or CVS) working copy, where the metadata inside
the .svn/ or CVS/ directories may be exposed to the world.
This post by someone else explains it nicely:
http://scottbarnham.com/blog/2008/04/22/serving-websites-from-svn-checkout-considered-harmful/
Interchange appears not to be vulnerable to this by default as it will
only serve files that end in .html, and all the .svn/ and CVS/ filenames
have no suffix, or end with .svn-base, so are not served by Interchange.
But if the docroot is served from a Subversion or CVS checkout, its
metadata files are likely served to the world -- relatively harmless, but
can reveal internal file paths, hostnames, and OS account names.
For PHP or SSI, on the other hand, this could be a disaster, as the
complete source to all files could be revealed, since the .svn-base suffix
will cause Apache not to parse the code as PHP but pass through the
source.
If you use Subversion or CVS on any project, I recommend you look into how
your files are being served and see if there's anything being exposed.
Checkouts from Git, Mercurial, or Bazaar are not likely to be a problem,
since they only have metadata directories (.git, .hg, .bzr) and associated
files at the root of the checkout, which would often be outside the
docroot.
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
More information about the interchange-users
mailing list