[Mongrel] SVN security hole explained

Philip Hallstrom mongrel at philip.pjkh.com
Fri Aug 25 17:37:59 EDT 2006


> I don't see why this is a huge security issue either.  At the worst
> someone can view your commit history by viewing the .svn/entries file.
> The password auth files are stored in the repository itself, not in
> the .svn directories in the working copy.

Maybe not huge, but that file gives you logins.  Which then helps attack 
in other ways... and it also let's them know you're running subversion and 
how... so gives them a host to attack perhaps...

2 more cents...

>
> Shane Vitarana
> shanesbrian.net
>
> On 8/25/06, carmen <_ at whats-your.name> wrote:
>>> This is a Subversion working copy administrative directory.
>>> Visit http://subversion.tigris.org/ for more information.
>>
>> is there actualy anything important in there? i mean if you authenticate with SSH keys, and even if you dont, i dont think it caches passwords? and it surely doesnt cache the entire history ora nything (like a .git dir) so they wont be able to see all the embarassing oneline 'oops, working now' commits..
>>
>>>
>>> -daya
>>
>>> _______________________________________________
>>> Mongrel-users mailing list
>>> Mongrel-users at rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/mongrel-users
>>
>> _______________________________________________
>> Mongrel-users mailing list
>> Mongrel-users at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/mongrel-users
>>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>


More information about the Mongrel-users mailing list