A russian security group, has exposed the wide spread existence of mis-configured web servers once again. The “exploit” itself is not new, it basically hooks on to the fact that there are usually some change files in the .svn/.cvs directories on a site and then tries to grab these meta-data files and extract source code from them.

At the least one would expect that web admins would restrict access to files starting with a dot.

In any case, to remedy this issue, please prefer to use svn-export/rsync over checkout. If possible consider using something like the below to deny access to the files.

<DirectoryMatch \.svn>
    Order allow, deny
    Deny from all
</DirectoryMatch>

URL-Rewriting can also be used, in case mod_rewrite is enabled in .htaccess

More info:

• habrahabr.ru (via Google Translate)

News, Security