更新时间:2022-09-12 19:21:29
TechCrunch has an article (pointing back to a Russian security company blog post (translated link)), detailing a scan of 2,253,388 web sites which yielded an amazing 3,320 Subversion's .svn directories.
In case you're you're not familiar with Subversion, it is a version control system similar to CVS. It's .svn directory is likely to have a wealth of information for attackers--account names of developers, change histories, and the most importantly, full copies of source code which may be served in plain text rather than executed on the server side.
At best, disclosure of source code will give your attacker great insight into how things operate and point out any "hidden" files. At worst, this will let attackers find a flaw that leads to compromise of your server. Clearly, neither of those are desireable outcomes.
To check your website for a .svn directory (and don't forget to look for a "cvs" directory as well), there are several options (more than one is probably appropriate):
And don't forget that the .svn directory may exist in any location, not just the web root.
If you find one, you should take several steps to resolve the situation:
The authors of the survey attempted to contact all the sites via email. If you suspect you were on the list and didn't recieve the warning, you may want to review your mail handling procedures, ensure you have appropriate contact email addresses (see RFC 2142 for more info), and add your company to OSVDB.org's "Vendor Dictionary" to allow third parties to more easily contact you.
WebInspect will help to ensure the security of your web applications by locating insecure .svn directories. Simply SmartUpdate to receive the latest checks and methodologies.