Re: Webserver CVS (In)Security

From: Crist J. Clark <crist.clark(at)attbi.com>
Date: Wed Apr 02 2003 - 01:09:05 EST

On Sun, Mar 30, 2003 at 04:42:02PM -0500, methodic@libpcap.net wrote: [snip]

> In the end I chose to delete all CVS directories and files in my webroot
> with this command: find /www -name CVS -type d | xargs rm -rf which I
> have in a shell script that pushes the CVS site live. I didn't need them
> around and I didn't feel like messing around with httpd.conf. I'm not
> sure why people would want to keep them around.. maybe there's a tool
> that performs some sort of statistics. If that's the case, you should
> write a regex in your webserver's config file (if it has that option) to
> deny CVS and anything below it.

No, what you should be doing is a,

$ cvs export web-root

And NOT a 'checkout.'

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     
cjc(at)freebsd.org

Received on Thu Apr 3 12:51:04 2003

This message: [ Message body ]
Next message: Blue Boar: "Re: Generating Hex Numbers to brute force rs_iis.c"
Previous message: Adam Gilmore: "RE: IkonBoard v3.1.1: arbitrary command execution"
In reply to: methodic(at)libpcap.net: "Webserver CVS (In)Security"
Next in thread: Andrew Brown: "Re: Webserver CVS (In)Security"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT