Vulnerability Development mailing list archives

Re: Webserver CVS (In)Security

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Tue, 1 Apr 2003 22:09:05 -0800

On Sun, Mar 30, 2003 at 04:42:02PM -0500, methodic () libpcap net wrote:
[snip]

In the end I chose to delete all CVS directories and files in my webroot
with this command: find /www -name CVS -type d | xargs rm -rf which I
have in a shell script that pushes the CVS site live. I didn't need them
around and I didn't feel like messing around with httpd.conf. I'm not
sure why people would want to keep them around.. maybe there's a tool
that performs some sort of statistics. If that's the case, you should
write a regex in your webserver's config file (if it has that option) to
deny CVS and anything below it.


No, what you should be doing is a,

  $ cvs export web-root

And NOT a 'checkout.'
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

Current thread:

Webserver CVS (In)Security methodic (Apr 01)
- Re: Webserver CVS (In)Security Brian Hatch (Apr 03)
- Re: Webserver CVS (In)Security Crist J. Clark (Apr 03)
- Re: Webserver CVS (In)Security Andrew Brown (Apr 03)