Serious vulnerability found in SVN

Posted By: TommyCarlier | Sep 25th @ 4:09 AM
page 1 of 1
Comments: 15 | Views: 805
#Sep 25th @ 4:09 AM
TommyCarlier
TommyCarlier
I want my scalps!

SVN Strikes Back: A Serious Vulnerability Found

A few months ago, Anton Isaykin in collaboration with the company 2comrades found a huge vulnerability that is quite typical of big projects (we do not name names here). To test it, they obtained the file structures and even the source code of about 3320 Russian websites and some major English-language websites. Serious vulnerabilities like this aren't supposed to exist nowadays. Every serious or visible exploit is found and fixed quickly. But here we will show you something simple and ordinary yet very dangerous.

Ouch. Anyone using SVN on their web server better check if they're vulnerable.

#Sep 25th @ 6:11 AM
LeoDavidson
LeoDavidson

I'd say it's a misuse of SVN rather than a vulnerability in it.

 

Worth people being reminded not to copy .svn folders to public places, and use svn export instead, but SVN isn't doing anything wrong and doesn't itself need fixing. People using it incorrectly need to fix how they're using it.

 

Definitely a good article for people who haven't realised the risk, though.

 

#Sep 25th @ 7:50 AM
Bass
Bass
www.s​preadfirefox.c​om/5years/

I probably didn't understand that article but..


The risk is if you improperly upload source code to a public web server people can see it?

 

Is this suppose to be suprising? Tongue Out

#Sep 25th @ 7:57 AM
CannotResolveSymbol
CannotResolveSymbol
{insert caption here}

Yes.  I would have expected better from TommyCarlier, who ostensibly read the article and yet still is making the claim that this is a "serious vulnerability in SVN" (SVN is operating as designed; it's the web developers who are doing things wrong).  Apparently he's taking a page from the tech journalists' playbook here.

 

On the subject of the "vulnerability", a similar problem would exist for virtually any version control system.  This problem would be amplified with distributed version control systems (Git, Mercurial, Bzr, etc.), as they store the *whole repository* (including previous versions) in their hidden directories.

 

So it's not just SVN users who need to be aware of these issues.  Essentially, everyone needs to make sure they're using their VCS correctly.

#Sep 25th @ 8:13 AM
TommyCarlier
TommyCarlier
I want my scalps!

Hey, can't a man spice up his thread title? Smiley

But you're entirely correct: this is not a vulnerability in the SVN software, but in copying stuff to a web server that you shouldn't copy. That's why I like Visual Studio's "Publish" command on ASP.NET web projects: it compiles the code-behind files to binary DLLs and only copies the files that are in the project to the destination.

#Sep 25th @ 8:27 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda

Well,..

 

A good source control system should not have the option to export all code away from the source control,..

 

It's like a big red button with the label "DON'T PUSH".

#Sep 25th @ 8:51 AM
ManipUni
ManipUni
Proving QQ for 5 years!

Lock-in much.... Also moronic.

#Sep 25th @ 9:03 AM
CannotResolveSymbol
CannotResolveSymbol
{insert caption here}

Why?  There's no reason one would ever want to get rid of the metadata in a working copy and have a clean copy of just the source?

#Sep 25th @ 10:24 AM
stevo_
stevo_
Human after all

Kind of an interesting issue, it isn't like this ia a big gaping hole- its just that the design doesnt lend itself to external security concerns.. I think this will certainly be enough ammo for some people to switch to the next fad.. git, or perhaps even mercurial, which seems superior in design but unfortunately not as well adopted.. which is pretty important.. nothing worse than being 'the only person in the world of google search results to have this error message'.

#Sep 25th @ 1:59 PM
CannotResolveSymbol
CannotResolveSymbol
{insert caption here}

And (more importantly), for the sort of people that do this sort of stupid thing (uploading SVN working copies with metadata to servers), git or mercurial would be worse.  See my post above.

#Sep 26th @ 10:48 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda

Well,.. just saying,..

 

If I write software I always tend to think of my users as the dumbest SOB's on the planet.

 

Makes me think twice before putting in a NUKE button.

 

Seriously, that stuff is just begging to be abused.

 

Oh and that SOB comment was just for added drama.

#Sep 26th @ 10:52 AM
Bass
Bass
www.s​preadfirefox.c​om/5years/

svn export doesn't delete anything, just makes a copy.

 

Eg you can do something like:

 

svn export ssh://yourwebserver.com

 

or locally as

 

svn export /var/web

 

or something like that. But it doesn't delete anything.

#Sep 26th @ 10:56 AM
Maddus Mattus
Maddus Mattus
Do, or do not. There is no try. - Yoda

errrr,...

 

why would I want to do that?

 

I've been using source control for ages now, I've never come across any scenario that I wanted to export a project,... ever,...

#Sep 26th @ 12:38 PM
Bass
Bass
www.s​preadfirefox.c​om/5years/

How exactly do you get your project on to a build server? Or a web server?

 

I don't do in-place builds even if I am the local computer. I don't want a bunch of compiler or build system generated crap going into my source tree. I know with "make clean" you can remove most of it, but I always find that there is crap that remains, and I don't feel like keeping track of it. It's not worth it in Linux where verbatim copies of 500 MB of files seems to take half a second anyway.

#Sep 26th @ 12:47 PM
blowdart
blowdart
Peek-a-boo

Build servers are internal, so no worry there. Promotion to live should be automated, and part of your build process too, so it's tested

#Sep 26th @ 12:51 PM
Bass
Bass
www.s​preadfirefox.c​om/5years/

Yeah so your build system calls "svn export ftp://blahblah" anyways. If you are doing it any other way (like a standard copy) you are probably doing it the wrong way. Apparently a lot of people are doing it the wrong way.

 

Also why upload a bunch of metadata to a build server even if it is internal? This is not so big of a deal with SVN, but with Git or Bzr or Hg it is, because your local copy has ALL revisions in it's metadata. All you need is the current revision to build.

 

I seriously starting to find it a little silly that being able to pull a specific revision out of a source control system is considered a useless feature that no one uses. Tongue Out

page 1 of 1
Comments: 15 | Views: 805
Microsoft Communities