Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-11-08 11:38:56

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,356
GitHub

Deny access to .svn and .svn/entries

I’ve started seeing some interesting hits in my access logs, specifically to .svn/ and .svn/entries files on production sites. Now, as it happens, none of my production sites are installed from the releases SVN but it’s timely as I’m considering it for future projects. At present, all requests are served a 404 because the files don’t exist. However, as and when I do switch to SVN installs, I don’t want J Random Cracker to be able to figure out my installed Textpattern version easily.

I’d like to be able to add a rule into .htaccess to serve up a 404 when anyone/anything accesses a URL containing the string .svn, or perhaps there’s another way of doing it outside of .htaccess, I’m a little vague.

My understanding is that the following code in .htaccess should work:

RewriteEngine On
RewriteRule ^(.*/)?\.svn/ – [F,L]
ErrorDocument 404 “Not found”

I cannot, however, get it to take. I suspect my code is wrong in some way and it’s something obvious that I’ve missed.

Any pointers would be very gratefully received. Thank you in advance.

Last edited by gaekwad (2012-11-08 12:06:57)

Offline

#2 2012-11-08 13:32:48

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Deny access to .svn and .svn/entries

Seems pretty okay.

gaekwad wrote:

I don’t want J Random Cracker to be able to figure out my installed Textpattern version easily.

Textpattern announces that information openly, for instance in feeds. If one were to exploit Textpattern, they wouldn’t need or care about the version number.

Now, as it happens, none of my production sites are installed from the releases SVN but it’s timely as I’m considering it for future projects.

For release branches you could use svn export instead of a checkout.

$ svn export http://textpattern.googlecode.com/svn/releases/4.5.2/source

Which avoids having those .svn files. Release branches are never directly updated, as such you don’t gain much by checking one out.

Offline

#3 2012-11-08 13:36:18

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,356
GitHub

Re: Deny access to .svn and .svn/entries

Gocom wrote:

For release branches you could use svn export instead of a checkout.
$ svn export http://textpattern.googlecode.com/svn/releases/4.5.2/source

D’oh, of course. I should’ve thought of that. Much more practical. Thanks, Jukka.

Gocom wrote:

Textpattern announces that information openly, for instance in feeds. If one were to exploit Textpattern, they wouldn’t need or care about the version number.

Forgive me if I come over as obtuse, it’s not my intention, but if there are releases of Textpattern susceptible to XSS attacks (as an example), or where the security is known to have a weak spot, surely that’s an easier target for a exploiter? Sucking up version numbers from feeds, history.txt or whatever is a double-edged sword; it reveals the extent of where Textpattern is installed, but also profiles sites open to attack.

Last edited by gaekwad (2012-11-08 13:46:31)

Offline

#4 2012-11-08 15:35:51

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Deny access to .svn and .svn/entries

Falls under security through obscurity. If I wanted to breach something, I would just run stack of scripts exploiting any known vulnerabilities. One not giving Textpattern’s version number is irrelevant at that point.

Offline

Board footer

Powered by FluxBB