Vulnerability Development mailing list archives
Re: Webserver CVS (In)Security
From: Brian Hatch <vuln-dev () ifokr org>
Date: Tue, 1 Apr 2003 11:56:12 -0800
A lot of people use CVS to manage their web content. It's a great way to keep track of changes, and makes updating and rollbacks a very easy thing to do.
...
When I finally decided to manage my web content with CVS, I noticed something about the directory layout (after running a `cvs up`) of my website; there were a bunch of CVS directories with files in them. I always knew they were there when working with CVS (those files are the way CVS keeps track of versions and what not), but I never paid any mind to them.. until today.
I use CVS to manage many of my web sites too, however the website is rsync'd from the checked out CVS version. I use the '-C' flag (--cvs-exclude) to automatically not upload any CVS-related files. From the man page: This is a useful shorthand for excluding a broad range of files that you often don?t want to transfer between systems. It uses the same algorithm that CVS uses to determine if a file should be ignored. The exclude list is initialized to: RCS SCCS CVS CVS.adm RCSLOG cvslog.* tags TAGS .make.state .nse_depinfo *~ #* .#* ,* *.old *.bak *.BAK *.orig *.rej .del-* *.a *.o *.obj *.so *.Z *.elc *.ln core then files listed in a $HOME/.cvsignore are added to the list and any files listed in the CVSIGNORE environment variable (space delimited). Finally, any file is ignored if it is in the same directory as a .cvsignore file and matches one of the patterns listed therein. See the cvs(1) manual for more information. This prevents all those sensative files from being published, not just those that are in the CVS directory. If it's just the CVS directory you're worried about, you could configure apache to deny these using a <files CVS> option in your httpd.conf. -- Brian Hatch I used to work in a Systems and blanket factory, Security Engineer but it folded. www.hackinglinuxexposed.com Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Webserver CVS (In)Security methodic (Apr 01)
- Re: Webserver CVS (In)Security Brian Hatch (Apr 03)
- Re: Webserver CVS (In)Security Crist J. Clark (Apr 03)
- Re: Webserver CVS (In)Security Andrew Brown (Apr 03)