Subversion Metadata Exposure on Mongrel

2006-08-25

If you thought you were secure, think again.

Like many, I am using Capistrano to deploy my Rails application. Like many, I also unintentionaly show Subversion metadata to the world.

In Preventing Subversion Exposure, Dan Benjamin talks about how to secure your server if you are using Apache:



httpd.conf


1 <directorymatch "^/.*/\.svn/">

2   Order deny,allow

3   Deny from all

4 </directorymatch>

I am using a clustered deployment environment as described on Mongrel’s LighTTPD page:

Except LighTTP is replaced with Pound, and Apache is just another service.

My pound.cfg contains this block of code:

pound.cfg
 1 # static file serving
 2 Service
 3   URL ".*\.(jpe?g|gif|png|js|css|xml)"
 4   BackEnd
 5     Address 127.0.0.1
 6     Port 12600
 7   End
 8 End
 9 
10 Service
11   BackEnd
12     Address 127.0.0.1
13     Port    12500
14   End
15 End

I thought I was not vulnerable to Dan’s trick, but it turns out I am.

When Pound receives the request, it attempts to match the incoming Path with the URL above. Since /.svn/entries does not match, Pound proceeds with the next service. Mongrel has the ability to serve static files too, and it turns out that it is Mongrel which is opening up the security hole.

Until I find how to correct the hole, I am now deploying using the export method:

config/deploy.rb
1 set :checkout, "export"

UPDATE (2006-08-25): Following "John’s ":#comment-139 suggestion below, you can also change the Pound configuration to this:

pound.cfg
1 # static file serving
2 Service
3   URL ".*\.(jpe?g|gif|png|js|css|xml|svn)"
4   BackEnd
5     Address 127.0.0.1
6     Port 12600
7   End
8 End

Note where “svn” was added to the end of the URL configuration line ? That tells Pound to send requests for “.svn” to this service (Apache in my case) where the 403 can be processed.

You could also change the URL line to handle CVS, darcs and other version control admin directories.

blog comments powered by Disqus