Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
SVN vulnerability
Posted by: p0deje
Date: September 28, 2009 02:22AM

I'm not quite sure where to post this, so I've decided to put it there.
Those who now Russian language may read an original post - http://habrahabr.ru/blogs/infosecurity/70330/

In short. Some time ago few russian hackers discovered a vulnerability which affects a great number of web projects. The issue is with SVN. If project is maintained with SVN and developers use its Checkout, then all the sources are put into a hidden directory .svn
In great number of cases this directory is allowed for reading via http://[website]:80/.svn.
Moreover, all the sources are put to /.svn/text-base/ (you guess?) and are not saved with (e.g. for PHP) *.php extension, which would lead to its execution, but in *.php.svn-base format - which is a plain text.
They've created a scanner and looked through all sites within RU domain zone. Thus, they have received sources, developers logins, etc. of huge russian projects. When they decided to scan COM zone - it would have taken about 2 years, so they've declined this idea.
A live demonstration of this vulnerability is at apache - http://apache.org/.svn

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: SVN vulnerability
Posted by: rvdh
Date: September 28, 2009 08:50AM

It's not a new discovery, folks just didn't know it, that's all. Moreover, most people who use svn write open source, with emphasis on: open.

Options: ReplyQuote
Re: SVN vulnerability
Posted by: rvdh
Date: September 28, 2009 08:53AM

Like: http://apache.org/server-status

Apache using mod_status. new? no. Just stupid configuration to allow it to be world readable.

Options: ReplyQuote
Re: SVN vulnerability
Posted by: rvdh
Date: September 28, 2009 08:54AM

Here: http://php.net/server-status

Spying was never this easy.

Options: ReplyQuote
Re: SVN vulnerability
Posted by: p0deje
Date: September 28, 2009 09:53AM

Oops. I didn't know that this is not a new vulnerability. That's why I was shocked when saw it :)

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: SVN vulnerability
Posted by: rvdh
Date: September 28, 2009 11:25AM

p0deje, a lot of people have been around, and remember things without talking about them. So in that sense, yeah it isn't new. I don't fear what people talk about, I fear what they keep private ;-)

Options: ReplyQuote


Sorry, only registered users may post in this forum.