Subversion a security risk?

Subversion allows users to keep track of changes made to source code. It’s very handy and many developers use it everyday, like me.

Some websites have a svn checkout in their public web folder to make faster updates if code change.

Letting the cat out of the bag right now: If the webserver has directory listening on, it’s easy to spy parts of your website.
If you take a closer look to the structure of Subversion you will notice that Subversion creates on every folder a subfolder called “.svn” with some files.

A example is a webshop which uses Subversion on the web server.

The start site of the webshop

webshop index

After adding a “.svn/” in the URL, you see the svn structure.

view svn root

The subfolder “text-base” shows us which files are in the folder

svn text-base folder

we can view the configuration file …

view config file

.. and the database dump

view sql dump

Sure this was fictitious, but we saw that it was easy to look at the structure of the site and view the files on the server with an webbrowser, we didn’t know before.

Take care of your production site if you have running a Subversion checkout on it!

Advertisements

4 comments so far

  1. kitt on

    If you’re running apache, you can deny an svn listing via the domain’s configuration files (or your .htaccess file if your server is configured such):

    Deny from all

  2. kitt on

    and, because you may not be able to see that in the previous comment:

    <Directory ~ “^\.svn”>
    Deny from all
    </Directory>

  3. b23 on

    Good point, thanks for your comment.

  4. Arne Vogel on

    “^.svn” will only match directly underneath DocumentRoot. Here is my take at it: “(^|/)\.svn(/|$)”. I.e. this matches any of

    .svn
    .svn/something
    something/.svn
    something/.svn/something


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: