[Mongrel] SVN security hole explained

John Butler imtall at gmail.com
Fri Aug 25 12:22:32 EDT 2006


> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
>
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
>
> My article refers to Dan Benjamin's
> http://hivelogic.com/articles/2006/04/30/preventing_svn_exposure
>
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
>
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
>
> Go and read the posts, well worth the time:
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
>

Thanks for pointing that one out! If you do use Pound and don't want
to change your deploy method, just add this to your pound.cfg after
ListenHTTP(S):

Service
  URL "\\.svn"
end

That will give a 503 to anyone trying to access it. This assumes pound
is running in front. Note this will block anything with ".svn" in the
URL.

-John


More information about the Mongrel-users mailing list