SVN Flaw Reveals Source Code to 3,300 Popular Websites
"A Russian security group has posted a detailed blog post about how they managed to extract the source code to over 3,300 websites. The group found that some of the largest and best known domains on the web, such as apache.org and php.net, amongst others, are vulnerable to an elementary information leak that exposes the structure and source of website files."
"The actual ‘exploit’ itself has been well known for a long time. It is
the fault of the server administrator or developer, rather than the
fault of a particular application, since the working metadata
directories in Subversion are only required for working copies of code.
What is surprising is just how prevalent the problem is – and who it
affects. Finding version control metadata directories is as simple as
looking for ‘.svn’ or ‘.cvs’ folders within web paths, for example: http://www.test.com/.svn/."
Read more: http://www.techcrunch.com/2009/09/23/basic-flaw-reveals-source-code-to-3300-popular-websites/
Its not actually a flaw in subversion. If you deployed using `git clone` you could have a similar problem. Subversion does leave it's little .svn turds everywhere though. That is a bit of a design issue.
Posted by: Brendan Baldwin | Sep 24, 2009 5:15:58 PM