[Mongrel] SVN security hole explained

linux user fanoflinux at gmail.com
Fri Aug 25 12:04:07 EDT 2006


On 8/25/06, Francois Beausoleil <francois.beausoleil at gmail.com> wrote:
>
> Hi all,
>
> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
>
>
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
>
> My article refers to Dan Benjamin's
> http://hivelogic.com/articles/2006/04/30/preventing_svn_exposure
>
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
>
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
>
> Go and read the posts, well worth the time:
>
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
>
> Bye !
> --
> François Beausoleil
> http://blog.teksol.info/
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users


Yup confirmed it on my application http://localhost:4111/.svn/README.txt
 shows

This is a Subversion working copy administrative directory.
Visit http://subversion.tigris.org/ for more information.

-daya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/mongrel-users/attachments/20060825/4eb6a808/attachment.html 


More information about the Mongrel-users mailing list