HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Is your .svn showing (like 3300 other sites)?

TechCrunch has an article (pointing back to a Russian security company blog post (translated link)), detailing a scan of 2,253,388 web sites which yielded an amazing 3,320 Subversion's .svn directories.


In case you're you're not familiar with Subversion, it is a version control system similar to CVS. It's .svn directory is likely to have a wealth of information for attackers--account names of developers, change histories, and the most importantly, full copies of source code which may be served in plain text rather than executed on the server side.


At best, disclosure of source code will give your attacker great insight into how things operate and point out any "hidden" files. At worst, this will let attackers find a flaw that leads to compromise of your server. Clearly, neither of those are desireable outcomes.


To check your website for a .svn directory (and don't forget to look for a "cvs" directory as well), there are several options (more than one is probably appropriate):



And don't forget that the .svn directory may exist in any location, not just the web root.


If you find one, you should take several steps to resolve the situation:



  • Move the .svn directory to someplace inaccessible via the web site

  • Reconfigure your web server to not serve files/directories that begin with a dot

  • Check google.com, archive.org and other sites which cache web sites to ensure your source code is not still available--if it is, follow the site's procedure for requesting the content be removed

  • Thoroughly review all exposed files (whether or not you have evidence that they were accessed) to look for user IDs, passwords, database connection strings, etc., and if you find any: change them immediately


The authors of the survey attempted to contact all the sites via email. If you suspect you were on the list and didn't recieve the warning, you may want to review your mail handling procedures, ensure you have appropriate contact email addresses (see RFC 2142 for more info), and add your company to OSVDB.org's "Vendor Dictionary" to allow third parties to more easily contact you.


 WebInspect will help to ensure the security of your web applications by locating insecure .svn directories. Simply SmartUpdate to receive the latest checks and methodologies.

Comments
| ‎09-24-2009 07:45 PM

Yes, a big part of Russian part of Internet  and especially  IT specialists  talks about this :smileyhappy:

| ‎09-30-2009 12:43 AM

4o3kcL I want to say - thank you for this!

| ‎09-30-2009 03:20 PM

aYHkm4 I want to say - thank you for this!

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.