Dailydave mailing list archives
Anonmized posting (last one for this thread)
From: dave <dave () immunitysec com>
Date: Mon, 14 Jun 2004 12:41:38 -0400
anonymized post: On Jun 9, 2004, at 18:48, H D Moore wrote: > Bahahahaha. Have you *looked* at the SVN source? Make sure you drop us > all nope. actually i've never used it, never looked at it, never even been to the web site, never read any security-related news about it. just throwing it out their as bait. i'll stfu now :-) so anyway, to the dude who mentioned RCS: RCS was okay... CVS is better... on intranets, i'm actually fairlyhappy with CVS. it has its problems, but i don't ever work in development groups over, say, 20... i imagine those problems would get ugly on larger projects... i usually just use CVS on NFS filesystems since our home directories are all fed via NFS.
CVSROOT=/home/CVS development on the internet, however, is a different story. you kinda need server-based version control. and if anyone and their brother can get to the server's port, then it's pretty much fair game for hacking... my sympathies to all those owned source trees... oh, and my sympathies to all those (including me) who are more thanlikely using software with owned source trees. so i'll throw out a question here:
what can we do to lock down our intranets with the assumption that even the OSes on our own networks can't be trusted? > the URL and repo path when you do. Now before anyone calls bullshit, > you > may want to follow these steps: > > 1. Download Apache2 source > 2. Download Subversion 1.0.5 source > 3. Read the source of the svn_dav_module, notice the XML calls? > 4. Look at the XML parser in Apache2. No, not the source, the MOD time. > 5. Now look at the XML parser source. See how it gets called from DAV > 6. Reinstall CVS and STFU :) > -HD > > http://metasploit.com/projects/Framework/exploits.html#svnserve~ ~
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Anonmized posting (last one for this thread) dave (Jun 14)
- Re: Anonmized posting (last one for this thread) Mordy Ovits (Jun 14)