Vulnerability Development mailing list archives
Re: Webserver CVS (In)Security
From: "Crist J. Clark" <crist.clark () attbi com>
Date: Tue, 1 Apr 2003 22:09:05 -0800
On Sun, Mar 30, 2003 at 04:42:02PM -0500, methodic () libpcap net wrote: [snip]
In the end I chose to delete all CVS directories and files in my webroot with this command: find /www -name CVS -type d | xargs rm -rf which I have in a shell script that pushes the CVS site live. I didn't need them around and I didn't feel like messing around with httpd.conf. I'm not sure why people would want to keep them around.. maybe there's a tool that performs some sort of statistics. If that's the case, you should write a regex in your webserver's config file (if it has that option) to deny CVS and anything below it.
No, what you should be doing is a, $ cvs export web-root And NOT a 'checkout.' -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org
Current thread:
- Webserver CVS (In)Security methodic (Apr 01)
- Re: Webserver CVS (In)Security Brian Hatch (Apr 03)
- Re: Webserver CVS (In)Security Crist J. Clark (Apr 03)
- Re: Webserver CVS (In)Security Andrew Brown (Apr 03)