Vulnerability Development mailing list archives
Re: Webserver CVS (In)Security
From: Andrew Brown <atatat () atatdot net>
Date: Tue, 1 Apr 2003 17:33:35 -0500
A lot of people use CVS to manage their web content. It's a great way to keep track of changes, and makes updating and rollbacks a very easy thing to do. ..BUT (there's always a but) this can be a _huge_ security risk. When I finally decided to manage my web content with CVS, I noticed something about the directory layout (after running a `cvs up`) of my website; there were a bunch of CVS directories with files in them. I always knew they were there when working with CVS (those files are the way CVS keeps track of versions and what not), but I never paid any mind to them.. until today. I opened up Mozilla and went to my website with a /CVS appended to the URL. Since I have Apache setup to disallow directory listings, I didn't get anything. Then I added /CVS/Entries to the URL. Two words came to mind: Uh-oh. The Entries file gave a complete listing of my webroot. It was like having ls(1) running on my webserver. The Entries file showed all the files and directories people normally wouldn't be able to see or even scan for. It would seem that having the directory listing option disabled in my httpd.conf didn't matter anymore. ...
keep two trees. tree 1 (let's call it /foo/cvs) is a copy of the cvs material with all the cvs subdirs and meta-files in it. tree 2 (let's call it /foo/www) is updated as follows whenever you cvs update tree 1, or whatever you do to maintain it. % cd /foo/cvs % rsync -CHar --delete . /foo/www -- |-----< "CODE WARRIOR" >-----| codewarrior () daemon org * "ah! i see you have the internet twofsonet () graffiti com (Andrew Brown) that goes *ping*!" werdna () squooshy com * "information is power -- share the wealth."
Current thread:
- Webserver CVS (In)Security methodic (Apr 01)
- Re: Webserver CVS (In)Security Brian Hatch (Apr 03)
- Re: Webserver CVS (In)Security Crist J. Clark (Apr 03)
- Re: Webserver CVS (In)Security Andrew Brown (Apr 03)