« New open source web application layer firewall 'ESAPI WAF' released | Main | Reddit XSS worm spreads »

SVN Flaw Reveals Source Code to 3,300 Popular Websites

"A Russian security group has posted a detailed blog post about how they managed to extract the source code to over 3,300 websites. The group found that some of the largest and best known domains on the web, such as apache.org and php.net, amongst others, are vulnerable to an elementary information leak that exposes the structure and source of website files."

"The actual ‘exploit’ itself has been well known for a long time. It is the fault of the server administrator or developer, rather than the fault of a particular application, since the working metadata directories in Subversion are only required for working copies of code. What is surprising is just how prevalent the problem is – and who it affects. Finding version control metadata directories is as simple as looking for ‘.svn’ or ‘.cvs’ folders within web paths, for example: http://www.test.com/.svn/."

Read more: http://www.techcrunch.com/2009/09/23/basic-flaw-reveals-source-code-to-3300-popular-websites/


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

Its not actually a flaw in subversion. If you deployed using `git clone` you could have a similar problem. Subversion does leave it's little .svn turds everywhere though. That is a bit of a design issue.