The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

svn subversion vulnerability

Discussion in 'Security' started by payne, Jan 8, 2010.

  1. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    From securitymetrics:

    Synopsis : The remote web server discloses information due to a configuration weakness. Description : The web server on the remote host allows read access to '.svn/entries' files. This exposes all file names in your svn module on your website. This flaw can also be used to download the source code of the scripts (PHP, JSP, etc...) hosted on the remote server. See also : Basic Flaw Reveals Source Code to 3,300 Popular Websites ic-flaw-reveals-source-code-to-3300-popula r-websites/ Solution: Configure permissions for the affected web server to deny access to the '.svn' directory. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]

    I tried adding:

    <Directory ~ ".*\.svn">
    Order allow,deny
    Deny from all
    </Directory>

    To apache conf pre main include, but it doesn't seem to do anything. I can still access the svn directory in question.

    Anyone know why this Directory configuration isn't working... or know of another way to deny access to the .svn directories?

    P.
     
  2. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    Also tried:

    <DirectoryMatch \.svn>
    Order allow,deny
    Deny from all
    </DirectoryMatch>

    Also tried them in the pre virtual include section.

    And I can still access the entries file in the .svn directories.
     
  3. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    Turns out this was on a mongrel_rails instance, not on apache... so no wonder the apache configuration wasn't helping.

    So... does anyone know how to prevent .svn directories from being displayed on cpanel's mongrel?
     
  4. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    did you ever find your answer?
     

Share This Page