Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Webserver CVS (In)Security

From: Brian Hatch <vuln-dev () ifokr org>
Date: Tue, 1 Apr 2003 11:56:12 -0800



A lot of people use CVS to manage their web content. It's a great way to
keep track of changes, and makes updating and rollbacks a very easy
thing to do.


...


When I finally decided to manage my web content with CVS, I noticed
something about the directory layout (after running a `cvs up`) of my
website; there were a bunch of CVS directories with files in them. I
always knew they were there when working with CVS (those files are the
way CVS keeps track of versions and what not), but I never paid any mind
to them.. until today.


I use CVS to manage many of my web sites too, however the website is
rsync'd from the checked out CVS version.  I use the '-C' flag
(--cvs-exclude) to automatically not upload any CVS-related files.
From the man page:

   This is a useful shorthand for excluding a broad range of
   files that you often don?t want to transfer between
   systems. It uses the same algorithm that CVS uses to
   determine if a file should be ignored.

   The exclude list is initialized to:

   RCS  SCCS  CVS CVS.adm RCSLOG cvslog.* tags TAGS .make.state
   .nse_depinfo *~ #* .#* ,* *.old *.bak *.BAK *.orig *.rej .del-*
   *.a *.o *.obj *.so *.Z *.elc *.ln core

   then files listed in a $HOME/.cvsignore are added to the
   list and any files listed in the CVSIGNORE environment
   variable (space delimited).

   Finally, any file is ignored if it is in the same
   directory as a .cvsignore file and matches one of the
   patterns listed therein.  See the cvs(1) manual for more
   information.


This prevents all those sensative files from being published, not just
those that are in the CVS directory.

If it's just the CVS directory you're worried about, you could configure
apache to deny these using a <files CVS> option in your httpd.conf.






--
Brian Hatch                  I used to work in a
   Systems and                blanket factory,
   Security Engineer          but it folded.
www.hackinglinuxexposed.com

Every message PGP signed

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: