[Mongrel] SVN security hole explained

Francois Beausoleil francois.beausoleil at gmail.com
Fri Aug 25 11:26:50 EDT 2006


Hi all,

If you are using Pound / Pen or another load balancer, I believe you
should read this:

http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel

My article refers to Dan Benjamin's
http://hivelogic.com/articles/2006/04/30/preventing_svn_exposure

My point is that even though we are preventing Apache from serving
anything except a select few file extensions, Mongrel is serving up
the files behind the scenes.

So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.

Go and read the posts, well worth the time:
http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel

Bye !
-- 
François Beausoleil
http://blog.teksol.info/


More information about the Mongrel-users mailing list