The other day on College Humor and Bustedtees we discovered a fairly serious security vulnerability. Fortunately because of the layout of our code nothing malicious could be exploited (more in another post). We thought our “push” script was skipping .svn folders, it turned out to not be operating correctly.
The hack is simple, documented and easily overlooked. Once the vulnerability was found, I did my best to exploit the shit out of it. I did so very successfully. I even tried it on some other popular websites and was able to access files I should have never been able to. In one instance I gained limited access to a sites admin. I emailed all of these sites to notify them of the security vulnerability. They were most gracious, once company even sent me a gift card!
The hack obviously starts in .svn directory, specifically at the entries file. You can access this file by browsing to:
This document contains all of the files and folders svn manages in that directory. In some instances you can locate admin directories and the same thing applies…
So at this point all you have are a bunch of file names. Sometimes you can get some fun information and access to files that were meant to be hidden. Security by obscurity is not a solution, protect files you don’t want the public to access!
Now this is where things get interesting… Any file that has been checked in I can now execute. Either directly or through an svn folder that holds file revisions. Pick any file in the list and browse to:
In this example the PHP file will be put through the PHP parser and executed. The results really depend on the layout of the code. Depending on the way the coder uses includes/requires decides on how much access and what kind of output you get. If a file is included using a relative path, the includes won’t be included since your working directory is the text-base dir. If they are using absolute paths, includes will continue through the execution. In one of the sites I poked around in, I found their admin wrapped through some kind of lite template/framework. I was able to bypass the system and go directly to the file without a using password. From there I had limited additional actions, but I still gained access to where I wasn’t welcome.
To do some additional testing I setup a test site to play with other file types. I found that files without a PHP extension, for example .inc files were NOT parsed and instead the contents were spit out to the page. In this test case the .inc file contained passwords and locations to databases. The possible additional damage I could cause from here is endless…
I’m not the first one to discover this hack, although a quick search only revealed obvious prevention methods. Protecting your site is really simple. Add this to your htacces file:
Another option is blocking .svn folders through your web server config file for all sites.
Update
A number of people have mentioned a better prevention technique… They recommend doing an SVN export instead of a checkout or rsync. This was something I thought about after discovering the exploit. But I am by no means a system admin or the person who deals with that stuff at work. I’m glad these people were able to confirm that idea. Thanks!
Posts
how to hack google based site orkut?
| January 27, 2009 @ 5:59 am
Nice tip!
SVN export instead of a checkout or rsync should solve the problem.
| January 27, 2009 @ 6:41 am
Apache’s filesmatch or directory directives + deny from all is faster and more reliable than URL rewrite.
I’d block access to all files/dirs starting with a dot, becase there are other tools with similar problems.
| January 27, 2009 @ 9:38 am
or just be sensible and host your .svn on another server then your live production server
| January 27, 2009 @ 9:42 am
The nice thing about your initial .htaccess fix is that you can still use svn up instead of having to re-export the entire site to fix a typo.
| January 27, 2009 @ 11:03 am
@ritu
thats not what this is about.
| January 27, 2009 @ 12:15 pm
I just noticed this as well. I’m working with a company that has been using subversion doing security auditing and this was a glaring vulnerability just waiting to be exploited. It’s pretty amazing what developers miss sometimes!
Another great solution is to use a better version control system, like Mercurial. But hey, I might be biased. :)
| August 29, 2009 @ 10:19 am
There are a number of reasons why you’d want a SVN working copy within a site’s DocumentRoot and using the method to protect the .svn directories makes it just as safe as using svn export.
This (in the Apache config or .htaccess) works even if mod_rewrite is not available:
RedirectMatch 404 /\\.svn(/|$)
It also has the advantage of making it appear as if there’s not a .svn directory at all.
| December 22, 2009 @ 1:22 pm