Exposed .svn Directories
For the last few years, we have been using subversion to manage our source code and move code live. One thing we overlooked was the fact that the .svn directories were exposed on our web server. Thanks to Ehraz and Umraz Ahmed ( #securityexe and #umrazahmed on twitter) for reporting this problem to us.
As a solution, we made a couple of configuration changes:
- prevented access to the directories via a "<Directory>" directive,
- added respective rules to our web application firewall.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords: svn
1 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
×
Diary Archives
Comments
You shouldn't be doing SVN UP on your public webserver; you should be doing SVN EXPORT <revision #>.
That will 'download' all the files, without all the .svn stuff.
Bob
Anonymous
Dec 31st 2013
1 decade ago