lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 1 Apr 2003 17:33:35 -0500
From: Andrew Brown <atatat@...tdot.net>
To: bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com
Subject: Re: Webserver CVS (In)Security


>A lot of people use CVS to manage their web content. It's a great way to
>keep track of changes, and makes updating and rollbacks a very easy
>thing to do.
>
>..BUT (there's always a but) this can be a _huge_ security risk.
>
>When I finally decided to manage my web content with CVS, I noticed
>something about the directory layout (after running a `cvs up`) of my
>website; there were a bunch of CVS directories with files in them. I
>always knew they were there when working with CVS (those files are the
>way CVS keeps track of versions and what not), but I never paid any mind
>to them.. until today.
>
>I opened up Mozilla and went to my website with a /CVS appended to the
>URL. Since I have Apache setup to disallow directory listings, I didn't
>get anything. Then I added /CVS/Entries to the URL. Two words came to
>mind: Uh-oh. The Entries file gave a complete listing of my webroot. It
>was like having ls(1) running on my webserver. The Entries file showed
>all the files and directories people normally wouldn't be able to see or
>even scan for. It would seem that having the directory listing option
>disabled in my httpd.conf didn't matter anymore.
>...

keep two trees.

tree 1 (let's call it /foo/cvs) is a copy of the cvs material with all
the cvs subdirs and meta-files in it.

tree 2 (let's call it /foo/www) is updated as follows whenever you cvs
update tree 1, or whatever you do to maintain it.

	% cd /foo/cvs
	% rsync -CHar --delete . /foo/www

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@...mon.org             * "ah!  i see you have the internet
twofsonet@...ffiti.com (Andrew Brown)                that goes *ping*!"
werdna@...ooshy.com       * "information is power -- share the wealth."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ