Linked by David Adams on Fri 25th Sep 2009 14:50 UTC, submitted by TommyCarlier
From Smashing Magazine: "A few months ago, Anton Isaykin, in collaboration with the company 2comrades, found a huge vulnerability that is quite typical of big projects (we do not name names here). To test it, they obtained the file structures and even the source code of about 3320 Russian websites and some major English-language websites. Serious vulnerabilities like this aren't supposed to exist nowadays. Every serious or visible exploit is found and fixed quickly. But here we will show you something simple and ordinary yet very dangerous."
Thread beginning with comment 386252
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:2005-08-27
I have to agree, no way this is SVN's vulnerability, but webserver misconfiguration. You can just as well drop zip archive with your passwords onto you website and cry then about zip's vulnerability that exposed your passwords.
Denying access to stuff like .htaccess, .inc and other files and directories are the first steps those should have been taken on those servers, but they were missed - and we've got the "vulnerable" result.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2009-03-25
A serious issue? Yes.
A result of poor server management? Definitely.
But a vulnerability in SVN? No way.
This is documented behaviour. The same problem will exist if you use CVS and other version control software. You'll get similar problems if you put any other private files onto your public web site.
This is really a training issue -- people need to be made aware of how to use SVN, and how not to. But that said, it is good to have it highlighted, especially if it's as widespread as the article seems to imply.
So I don't see any need for any software changes in the light of this. But what would be a good idea would be for web server software to ship with recognition of common version control system files.
Web servers are already shipped to recognise file types so they can serve the right mime-types, or route them through the appropriate scripting language, etc, so it shouldn't be hard for them to add .svn and CVS files to that recognition, and just set it not serve the content.