Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Anonmized posting (last one for this thread)

From: dave <dave () immunitysec com>
Date: Mon, 14 Jun 2004 12:41:38 -0400
anonymized post:

On Jun 9, 2004, at 18:48, H D Moore wrote:

> Bahahahaha. Have you *looked* at the SVN source? Make sure you drop us
> all

nope.  actually i've never used it, never looked at it, never even been
to the web site, never read any security-related news about it.

just throwing it out their as bait.  i'll stfu now :-)

so anyway, to the dude who mentioned RCS:

RCS was okay... CVS is better... on intranets, i'm actually fairly
happy with CVS. it has its problems, but i don't ever work in development groups over, say, 20... i imagine those problems would get ugly on larger projects... i usually just use CVS on NFS filesystems since our home directories are all fed via NFS. 

CVSROOT=/home/CVS


development on the internet, however, is a different story.   you kinda
need server-based version control.  and if anyone and their brother can get
to the server's port, then it's pretty much fair game for hacking...

my sympathies to all those owned source trees...

oh, and my sympathies to all those (including me) who are more than
likely using software with owned source trees. so i'll throw out a question here: 

what can we do to lock down our intranets with the assumption that even
the OSes on our own networks can't be trusted?


> the URL and repo path when you do. Now before anyone calls bullshit,
> you
> may want to follow these steps:
>
> 1. Download Apache2 source
> 2. Download Subversion 1.0.5 source
> 3. Read the source of the svn_dav_module, notice the XML calls?
> 4. Look at the XML parser in Apache2. No, not the source, the MOD time.
> 5. Now look at the XML parser source. See how it gets called from DAV
> 6. Reinstall CVS and STFU :)
> -HD
>
> http://metasploit.com/projects/Framework/exploits.html#svnserve
~ ~ 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: