• Russian Security Group exposes source-code for 3000+ sites

    A russian security group, has exposed the wide spread existence of mis-configured web servers once again. The “exploit” itself is not new, it basically hooks on to the fact that there are usually some change files in the .svn/.cvs directories on a site and then tries to grab these meta-data files and extract source code from them.

    At the least one would expect that web admins would restrict access to files starting with a dot.

    In any case, to remedy this issue, please prefer to use svn-export/rsync over checkout. If possible consider using something like the below to deny access to the files.

    <DirectoryMatch \.svn>
        Order allow, deny
        Deny from all
    </DirectoryMatch>
    

    URL-Rewriting can also be used, in case mod_rewrite is enabled in .htaccess

    More info: