Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Deny access to .svn and .svn/entries
I’ve started seeing some interesting hits in my access logs, specifically to .svn/
and .svn/entries
files on production sites. Now, as it happens, none of my production sites are installed from the releases
SVN but it’s timely as I’m considering it for future projects. At present, all requests are served a 404 because the files don’t exist. However, as and when I do switch to SVN installs, I don’t want J Random Cracker to be able to figure out my installed Textpattern version easily.
I’d like to be able to add a rule into .htaccess to serve up a 404 when anyone/anything accesses a URL containing the string .svn
, or perhaps there’s another way of doing it outside of .htaccess, I’m a little vague.
My understanding is that the following code in .htaccess should work:
RewriteEngine On
RewriteRule ^(.*/)?\.svn/ – [F,L]
ErrorDocument 404 “Not found”
I cannot, however, get it to take. I suspect my code is wrong in some way and it’s something obvious that I’ve missed.
Any pointers would be very gratefully received. Thank you in advance.
Last edited by gaekwad (2012-11-08 12:06:57)
Offline
Re: Deny access to .svn and .svn/entries
Seems pretty okay.
gaekwad wrote:
I don’t want J Random Cracker to be able to figure out my installed Textpattern version easily.
Textpattern announces that information openly, for instance in feeds. If one were to exploit Textpattern, they wouldn’t need or care about the version number.
Now, as it happens, none of my production sites are installed from the releases SVN but it’s timely as I’m considering it for future projects.
For release branches you could use svn export
instead of a checkout.
$ svn export http://textpattern.googlecode.com/svn/releases/4.5.2/source
Which avoids having those .svn files. Release branches are never directly updated, as such you don’t gain much by checking one out.
Offline
Re: Deny access to .svn and .svn/entries
Gocom wrote:
For release branches you could use
svn export
instead of a checkout.
$ svn export http://textpattern.googlecode.com/svn/releases/4.5.2/source
D’oh, of course. I should’ve thought of that. Much more practical. Thanks, Jukka.
Gocom wrote:
Textpattern announces that information openly, for instance in feeds. If one were to exploit Textpattern, they wouldn’t need or care about the version number.
Forgive me if I come over as obtuse, it’s not my intention, but if there are releases of Textpattern susceptible to XSS attacks (as an example), or where the security is known to have a weak spot, surely that’s an easier target for a exploiter? Sucking up version numbers from feeds, history.txt
or whatever is a double-edged sword; it reveals the extent of where Textpattern is installed, but also profiles sites open to attack.
Last edited by gaekwad (2012-11-08 13:46:31)
Offline
Offline
Pages: 1