* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Read this if you use SVN for your site!

Below is a link to automatically translated version of russian article. Source codes of 3000+ major sites were leaked because of incorrect SVN usage.

http://translate.google.com/translate?hl=ru&sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fblogs%2Finfosecurity%2F70330%2F
Vitaly Send private email
Wednesday, September 23, 2009
 
 
Scary that so many fail to include an 'svn export' step in their build/deployment scripts...
Thomas Kjeldahl Nilsson Send private email
Wednesday, September 23, 2009
 
 
Are those public sites hosting SVN themselves?
Edwin Send private email
Wednesday, September 23, 2009
 
 
i say, way too many technologies are to be merged for a tiny piece of application or program nowadays. that means way too many vulnerability possibilities.

but wow! i got to check our own repo now.
victor a.k.a. python for ever Send private email
Wednesday, September 23, 2009
 
 
If I'm reading it right, the problem is that people didn't set the SVN directories to not be readable by Apache? I remember that being a fairly routine think to have to do with CVS, so it's a little surprising that people didn't know to do it for SVN.
Drew Kime Send private email
Wednesday, September 23, 2009
 
 
Edwin - it's not necessarily that they are hosting SVN.
In the source directory SVN puts a hidden folder which contains a copy of all the sources.
If you let your web server return arbitrary files then these can be stolen.
Martin Send private email
Wednesday, September 23, 2009
 
 
Ok, under the directory .svn\text-base in every Subversion checkout folder there are copies of all of the files, with the extension .svn-base.  These are used by SVN to do things like examine files being committed for changes.

So what? The actual source files are two directory levels above this location.

I really don't get what the big "leak" is here.
WannabeTycoon Send private email
Thursday, September 24, 2009
 
 
The big leak is that those files contain source code. PHP files sometimes contain database passwords (itself an iffy security practice)
Anonymoose Send private email
Thursday, September 24, 2009
 
 
"If I'm reading it right, the problem is that people didn't set the SVN directories to not be readable by Apache? I remember that being a fairly routine think to have to do with CVS"

Never heard of that, not even once, and I use CVS. So my source code maybe has all been stolen because I've sometimes run Apache on my development machine?

If that's true then that is reason why CVS and SVN are shit. No program should have such default security settings.
Scott Send private email
Thursday, September 24, 2009
 
 
Hm, Ok. Now having read the article. For the SVN case, the problem is if you store all your source code in your web directories that are published to the web server, then people can see it.

Yeah, ok. Why would anyone upload their product source code to their web server I have no idea.
Scott Send private email
Thursday, September 24, 2009
 
 
Wow, this has the potential to be a huge security breach for some companies.  You'd be vulnerable if the following conditions apply:

1. You use a web development system that relies on URL-to-script mapping (PHP, classic ASP, CGI Perl, etc.).  More modern systems tend to not do direct URL-to-script mapping but PHP is still hugely popular and tons of legacy classic ASP and CGI Perl code exist.  MVC frameworks should be safe (since they don't map URLs to files) and ASP.NET should generally be safe (since .aspx files usually don't contain sensitive data). 

2. You use SVN and checkout directly to the web server to deploy.  This is extremely common.  Developers don't commonly think about 'svn export' and even if they do, it can be convenient to be able to check-in emergency fixes directly from the production server and thus convenient to do a checkout instead of an export.  No one expects their source control system to do things that circumvent security (like copying source code to a subfolder and changing the extension). 

3. You have sensitive data in files in URL mappable locations (passwords, proprietary algorithms, etc. in scripts).  No intelligent, professional web developer should ever do this sort of thing but unfortunately in a world of tight deadlines and duct-tape programmers, it's very common. 

4. Your server is configured in a manner that allows access to .svn folders and serves the content of unknown files as text.  Web servers don't know that .svn folders and .text-base files are special so it wouldn't surprise me if this is the default for Apache, IIS, etc..

It's certainly conceivable that a large number of systems are out there that meet these conditions and I'm sure there are already scripts exploiting this for all of the script kiddies to use.  Anyone using PHP or classic ASP with SVN should probably do a quick check to make sure they aren't exposing data they don't want exposed.
Dave76 Send private email
Thursday, September 24, 2009
 
 
I just did a quick test on a server running an up-to-date version of IIS 6 and it refuses to serve files with unknown extensions.  It looks like by default IIS ignores any files with extensions that it isn't configured to handle so the .svn-base files are inaccessible.  I'm not surprised since this is the smart, safe thing for a web server to do by default.  If the linked site is correct, it's somewhat surprising that Apache serves unknown files by default.
Dave76 Send private email
Thursday, September 24, 2009
 
 
@dave want to disagree as a developer but agree as a sysadmin!
Anonymoose Send private email
Sunday, September 27, 2009
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz