[Mongrel] SVN security hole explained
John Butler
imtall at gmail.com
Fri Aug 25 12:22:32 EDT 2006
> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
>
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
>
> My article refers to Dan Benjamin's
> http://hivelogic.com/articles/2006/04/30/preventing_svn_exposure
>
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
>
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
>
> Go and read the posts, well worth the time:
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
>
Thanks for pointing that one out! If you do use Pound and don't want
to change your deploy method, just add this to your pound.cfg after
ListenHTTP(S):
Service
URL "\\.svn"
end
That will give a 503 to anyone trying to access it. This assumes pound
is running in front. Note this will block anything with ".svn" in the
URL.
-John
More information about the Mongrel-users
mailing list