TechCrunch has an article (pointing back to a Russian security company blog post (translated link)), detailing a scan of 2,253,388 web sites which yielded an amazing 3,320 Subversion's .svn directories.

In case you're you're not familiar with Subversion, it is a version control system similar to CVS. It's .svn directory is likely to have a wealth of information for attackers--account names of developers, change histories, and the most importantly, full copies of source code which may be served in plain text rather than executed on the server side.

At best, disclosure of source code will give your attacker great insight into how things operate and point out any "hidden" files. At worst, this will let attackers find a flaw that leads to compromise of your server. Clearly, neither of those are desireable outcomes.

To check your website for a .svn directory (and don't forget to look for a "cvs" directory as well), there are several options (more than one is probably appropriate):

• Use a web browser
• Use an operating system level search (Windows/Unix find)
• Run a web security scanner (may I suggest WebInspect?)
• Even try Google (for example: inurl:example.com inurl:/.svn/ "index of /").

And don't forget that the .svn directory may exist in any location, not just the web root.

If you find one, you should take several steps to resolve the situation:

• Move the .svn directory to someplace inaccessible via the web site
• Reconfigure your web server to not serve files/directories that begin with a dot
• Check google.com, archive.org and other sites which cache web sites to ensure your source code is not still available--if it is, follow the site's procedure for requesting the content be removed
• Thoroughly review all exposed files (whether or not you have evidence that they were accessed) to look for user IDs, passwords, database connection strings, etc., and if you find any: change them immediately

The authors of the survey attempted to contact all the sites via email. If you suspect you were on the list and didn't recieve the warning, you may want to review your mail handling procedures, ensure you have appropriate contact email addresses (see RFC 2142 for more info), and add your company to OSVDB.org's "Vendor Dictionary" to allow third parties to more easily contact you.

 WebInspect will help to ensure the security of your web applications by locating insecure .svn directories. Simply SmartUpdate to receive the latest checks and methodologies.