Using SVN makes your site extremely vulnerable

Summary:<p>A lot of people don't use "svn export" and leave .svn directories readable to everyone.<p>The authors of the article wrote a crawler that scanned 2.2 million domains, mostly in the .ru zone, for the vulnerability over the last couple of months.<p>They got access to (parts of) the source code of over 3 thousand sites, including some big ones like:<p>* yandex.ru and rambler.ru -- Russian search engines<p>* mail.ru -- Biggest Russian email host<p>* rbk.ru -- Large online publisher<p>* 003.ru, bolero.ru -- Online retailers<p>* habrahabr.ru -- Webdev/blogging/new media community site<p>* opera.com

For your Apache config.<p><pre><code> # Disallow viewing of .svn and .git directory contents &#60;DirectoryMatch \.(svn|git)&#62; Order allow,deny Deny from all &#60;/DirectoryMatch&#62;</code></pre>

Title is misleading and plain wrong.<p>The issue is not in "using SVN". It's in using any revision control system that has .svn .git etc directories, and accidentally making those directories world readable from a webserver.<p>User error.

Russian speaker here, I'll translate some selected comments for your convenience.<p>harm: <i>We need more people who, upon finding a hole, go on to scan the whole Runet, for no nefarious reasons but just to warn unwitting site owners.</i><p>SilenceAndy: <i>In olden times such people were called hackers, until journalists perverted that word to mean cyber criminals.</i><p>grayhex: <i>This comment is impervious to Google Translate.</i><p>cancel: <i>Google inurl:.svn/entries, lots of interesting stuff.</i><p>Nirvanko: <i>This ain't new, see <a href="http://www.adamgotterer.com/2009/01/26/hacking-the-svn-directory/" rel="nofollow">http://www.adamgotterer.com/2009/01/26/hacking-the-svn-direc...</a> </i><p>SynteZ: <i>IIS doesn't have this vulnerability :-) By default it doesn't send files without extensions, because it doesn't know the mime type.</i><p>varyen: <i>Funny, Wii disks from SEGA also have .svn folders, though they're empty.</i><p>crazywebdev: <i>Now I know how <a href="http://vkontakte.ru" rel="nofollow">http://vkontakte.ru</a> came about.</i>

Using a working copy as your website is a pretty bad idea. That's what svn export is meant for.

This isn't really a vulnerability - just developers not doing their job. Anyone who uses SVN (or any other version management system, for that matter) should know how it works.<p>I know SVN creates these hidden directories (named .svn) within every directory of my project that contains the working copies of the files within that directory. Therefore I either use export (to not upload the hidden folders) or I make them not accessible to the public via .htaccess.<p>Saying this is a vulnerability is like telling someone copying/pasting their code into a Pastie is a vulnerability. Common sense.

tl;dr Don't accidentally leave an svn working copy available to the internet, it could be a security vulnerability.

From the translation:<p><i>It would seem that in the XXI century is difficult to find such a vulnerability.</i><p>Do Russian speakers generally write the century in roman numerals like that? That's kind of neat..

I'm no security expert but I'm not sure if I get it - assuming that your code is well written, how would exposing the source code and change history make it more vulnerable? By using this logic, every piece of open source software is "vulnerable". Security through obscurity is not really security.<p>I thought not checking in safety critical things such as passwords or keys into the repository tree is a standard practice. If it's not, it should be.

And as usual, PHP is at the top of the game: <a href="http://fr2.php.net/.svn/entries" rel="nofollow">http://fr2.php.net/.svn/entries</a> (note: interestingly, not all subdomains are open, the us* ones aren't, the uk* ones aren't either, and fr.php.net is also closed)

Sorry for the machine translation but an English text is not up just yet.

Git is much nicer, because everything is in one .git directory and it can be kept outside the public webroot.

We deploy like this, and it looks like I cannot get to the source files in the way described.<p>It appears that IIS is naively not serving up these file types. If I drop a plain html file in the .svn folder I can get to it, but any .svn-base file or files lacking an extension are unreachable.

It's not actually clear to me what the problem is.<p>Are they saying that people can read your code (not actually a problem for open source projects) or that they can update it and thus alter your site?<p>The former doesn't seem so bad - the latter is obviously catastrophic.<p>I wish I spoke Russian...

Well duh. You shouldn't be publishing your repository. Use svn export instead.