[ic] Risks of websites served from Subversion or CVS checkouts

Jon Jensen jon at endpoint.com
Wed Aug 20 15:05:54 UTC 2008


On Wed, 20 Aug 2008, Stefan Hornburg wrote:

>>>>> If you use Subversion or CVS on any project, I recommend you look into how
>>>>> your files are being served and see if there's anything being exposed.
>>
>> We could easily set $relpat = qr/(\.\.|\.svn|CVS)/ in Vend::File
>> to ignore CVS/Subversion directories.
>
> Or, make this configurable.

Certainly, that would be useful in general.

Though I hope you all didn't miss my note that Interchange as configured 
by default is *not* vulnerable to this anyway, as it will only server 
files ending in .html, and in my checks none of the CVS or Subversion 
metadata matches that criterion. So it may be a solution without a real 
problem. :)

Jon


-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/



More information about the interchange-users mailing list