Project

General

Profile

"Vulnerability" in svn

Added by Daniel Blendea over 14 years ago

Hello,

I know I've seen here, as practice, using redmine checked out from svn and published over web, so I'm posting this:
http://www.smashingmagazine.com/2009/09/25/svn-strikes-back-a-serious-vulnerability-found/


Replies (3)

RE: "Vulnerability" in svn - Added by Eric Davis over 14 years ago

This has been come up before. Here's what I used to use when I deployed using svn:

RewriteEngine On

# Important rule to prevent exposure of subversion files if you are deploying with Capistrano !
RewriteRule ^(.*/)?.svn/ - [F,L]

That file is from November 2007 :)

Eric Davis

RE: "Vulnerability" in svn - Added by Chris McKee over 14 years ago

I'd always advise doing as little with .htaccess as possible if you have access to httpd.conf (or apache2.conf / apache.conf etc)

Snip from .htaccess

#
# The following lines prevent .htaccess files from being viewed by
# Web clients.  Since .htaccess files often contain authorization
# information, access is disallowed for security reasons.  Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files.  If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
#
# See also this mini-guide to password protecting a directory
#
<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>

Most default apache configurations wont allow you to view/download files starting with . anyway but its worth making sure.

.htaccess files add processing time on to each request (hence a preference in using server configuration)

RE: "Vulnerability" in svn - Added by Andrew Rudenko over 14 years ago

I've been hacked by unknown bad guy(s).
It was possible to view entries file on my RedMine. (http://&lt;my domain>/.svn/entries). Thanks for the link how to guard our server from this attack. I've added deny rule into apache.conf and now I am guarded :)

Coming back... someone in someway uploaded a ton of emails into my smtp where RedMine has being running. It was about 30K messages. Part of these messages were sent and part left on the system. My email provider had blocked me from sending emails since more than 500 messages were sent per hour. postsuper -d ALL deferred helps me to remove all the messages left on the system.

Am I right svn vulnerability was the door for this 'joke'?

    (1-3/3)