>A lot of people use CVS to manage their web content. It's a great way to >keep track of changes, and makes updating and rollbacks a very easy >thing to do. > >..BUT (there's always a but) this can be a _huge_ security risk. > >When I finally decided to manage my web content with CVS, I noticed >something about the directory layout (after running a `cvs up`) of my >website; there were a bunch of CVS directories with files in them. I >always knew they were there when working with CVS (those files are the >way CVS keeps track of versions and what not), but I never paid any mind >to them.. until today. > >I opened up Mozilla and went to my website with a /CVS appended to the >URL. Since I have Apache setup to disallow directory listings, I didn't >get anything. Then I added /CVS/Entries to the URL. Two words came to >mind: Uh-oh. The Entries file gave a complete listing of my webroot. It >was like having ls(1) running on my webserver. The Entries file showed >all the files and directories people normally wouldn't be able to see or >even scan for. It would seem that having the directory listing option >disabled in my httpd.conf didn't matter anymore. >... keep two trees. tree 1 (let's call it /foo/cvs) is a copy of the cvs material with all the cvs subdirs and meta-files in it. tree 2 (let's call it /foo/www) is updated as follows whenever you cvs update tree 1, or whatever you do to maintain it. % cd /foo/cvs % rsync -CHar --delete . /foo/www -- |-----< "CODE WARRIOR" >-----| codewarriorat_private * "ah! i see you have the internet twofsonetat_private (Andrew Brown) that goes *ping*!" werdnaat_private * "information is power -- share the wealth."
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 10:00:14 PST