Re: Webserver CVS (In)Security

From: Crist J. Clark (crist.clark@attbi.com)
Date: 04/02/03

  • Next message: Blue Boar: "Re: Generating Hex Numbers to brute force rs_iis.c"
    Date: Tue, 1 Apr 2003 22:09:05 -0800
    From: "Crist J. Clark" <crist.clark@attbi.com>
    To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
    
    

    On Sun, Mar 30, 2003 at 04:42:02PM -0500, methodic@libpcap.net wrote:
    [snip]

    > In the end I chose to delete all CVS directories and files in my webroot
    > with this command: find /www -name CVS -type d | xargs rm -rf which I
    > have in a shell script that pushes the CVS site live. I didn't need them
    > around and I didn't feel like messing around with httpd.conf. I'm not
    > sure why people would want to keep them around.. maybe there's a tool
    > that performs some sort of statistics. If that's the case, you should
    > write a regex in your webserver's config file (if it has that option) to
    > deny CVS and anything below it.

    No, what you should be doing is a,

      $ cvs export web-root

    And NOT a 'checkout.'

    -- 
    Crist J. Clark                     |     cjclark@alum.mit.edu
                                       |     cjclark@jhu.edu
    http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
    

  • Next message: Blue Boar: "Re: Generating Hex Numbers to brute force rs_iis.c"

    Relevant Pages

    • Re: Public key limited to using CVS?
      ... dmurdoch> be a lot of trouble. ... I can offer the solution I use on my CVS repo. ... shell script to prevent users from trying to send in specially crafted ... #ifdef DEBUG ...
      (comp.security.ssh)
    • How to emulate a keypress Bash Scripting
      ... I am writing a shell script to automatically handle logging into ... and syncing the source tree on my system with what ... is currently on CVS. ... Since this is an anon CVS, I just need to emulate the enter ...
      (comp.os.linux.development.apps)