[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030401195612.GL6742@ifokr.org>
Date: Tue, 1 Apr 2003 11:56:12 -0800
From: Brian Hatch <vuln-dev@...kr.org>
To: bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com
Subject: Re: Webserver CVS (In)Security
> A lot of people use CVS to manage their web content. It's a great way to
> keep track of changes, and makes updating and rollbacks a very easy
> thing to do.
...
> When I finally decided to manage my web content with CVS, I noticed
> something about the directory layout (after running a `cvs up`) of my
> website; there were a bunch of CVS directories with files in them. I
> always knew they were there when working with CVS (those files are the
> way CVS keeps track of versions and what not), but I never paid any mind
> to them.. until today.
I use CVS to manage many of my web sites too, however the website is
rsync'd from the checked out CVS version. I use the '-C' flag
(--cvs-exclude) to automatically not upload any CVS-related files.
From the man page:
This is a useful shorthand for excluding a broad range of
files that you often donīt want to transfer between
systems. It uses the same algorithm that CVS uses to
determine if a file should be ignored.
The exclude list is initialized to:
RCS SCCS CVS CVS.adm RCSLOG cvslog.* tags TAGS .make.state
.nse_depinfo *~ #* .#* ,* *.old *.bak *.BAK *.orig *.rej .del-*
*.a *.o *.obj *.so *.Z *.elc *.ln core
then files listed in a $HOME/.cvsignore are added to the
list and any files listed in the CVSIGNORE environment
variable (space delimited).
Finally, any file is ignored if it is in the same
directory as a .cvsignore file and matches one of the
patterns listed therein. See the cvs(1) manual for more
information.
This prevents all those sensative files from being published, not just
those that are in the CVS directory.
If it's just the CVS directory you're worried about, you could configure
apache to deny these using a <files CVS> option in your httpd.conf.
--
Brian Hatch I used to work in a
Systems and blanket factory,
Security Engineer but it folded.
www.hackinglinuxexposed.com
Every message PGP signed
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists