lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 1 Apr 2003 11:56:12 -0800
From: Brian Hatch <vuln-dev@...kr.org>
To: bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com
Subject: Re: Webserver CVS (In)Security



> A lot of people use CVS to manage their web content. It's a great way to
> keep track of changes, and makes updating and rollbacks a very easy
> thing to do.

...

> When I finally decided to manage my web content with CVS, I noticed
> something about the directory layout (after running a `cvs up`) of my
> website; there were a bunch of CVS directories with files in them. I
> always knew they were there when working with CVS (those files are the
> way CVS keeps track of versions and what not), but I never paid any mind
> to them.. until today.

I use CVS to manage many of my web sites too, however the website is
rsync'd from the checked out CVS version.  I use the '-C' flag
(--cvs-exclude) to automatically not upload any CVS-related files.
From the man page:

   This is a useful shorthand for excluding a broad range of
   files that you often donīt want to transfer between
   systems. It uses the same algorithm that CVS uses to
   determine if a file should be ignored.

   The exclude list is initialized to:

   RCS  SCCS  CVS CVS.adm RCSLOG cvslog.* tags TAGS .make.state
   .nse_depinfo *~ #* .#* ,* *.old *.bak *.BAK *.orig *.rej .del-*
   *.a *.o *.obj *.so *.Z *.elc *.ln core

   then files listed in a $HOME/.cvsignore are added to the
   list and any files listed in the CVSIGNORE environment
   variable (space delimited).

   Finally, any file is ignored if it is in the same
   directory as a .cvsignore file and matches one of the
   patterns listed therein.  See the cvs(1) manual for more
   information.


This prevents all those sensative files from being published, not just
those that are in the CVS directory.

If it's just the CVS directory you're worried about, you could configure
apache to deny these using a <files CVS> option in your httpd.conf.






--
Brian Hatch                  I used to work in a
   Systems and                blanket factory,
   Security Engineer          but it folded.
www.hackinglinuxexposed.com

Every message PGP signed

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ