Subversion "Exploit" Uncovered September 29th, 2009
It is not all too often that the word “exploit” will be found within quotations in an Information Technology setting. In a vulnerability recently discovered by Anton Isaykin and 2comrades, we have one of those rare situations. Enter Subversion (SVN), the popular revision control system that makes version management of any web project a dream. Well, quite sadly that dream can become a nightmare when the same tool that makes your life easy makes it easy for others to steal your work. When improperly managed, information about your website (notably the file structure and source code) can easily be gleaned from SVN by users with malicious intent.
To understand this security hole, let’s look at how SVN works. In a simplified nutshell, SVN stores information in a secret sub-directory in each existing directory. One file in particular, entries, contains information about the whole shebang – your file structure. Furthermore, it links to the file repository, contains developer logins, file-sizes, and dates for modification. Even worse, text-based directories contain actual text files. These files are not parsed by any code and are the source code to your project.
The good thing to know is that this problem is rather quickly addressed. Here at Idologic, we use the Apache web server, and it is a simple fix in the form of a few lines added to an .htaccess file in your website’s root directory (/home/username/public_html/):
<Directory ~ ".*\.svn">
Deny from all
This code is pretty simple, and does what it looks like. It will deny anyone from accessing those .svn directories where the information is stored via port 80 (Apache).
The other fix is to simply use svn export, which many scrupulous employ developers already employ. This does not leave those .svn files in the web root.
So now you can see the reasoning behind the quotes. This security flaw is really a matter of bad practice more so than it is poor software code. Two effective fixes are readily and easily available. The good folks that found this flaw wrote up an interesting article about it, and you can check that out at Smashing Magazine – SVN Server Admin Issue – Fix it! It contains a little more detail and information on how the flaw was found as well as striking examples as to how easy it can be accessed. We will also pass along our thanks to our vigilant customer Shi for passing along the article!