Security issue when defining wrong location directive in Apache

From: Sander <boxtel_at_gmail.com>
Date: 2006-01-17 00:50:52 CET

Hi,

Can anybody confirm this.

I had some repositories under my https-root ..

My Apache conf was:

<Location /svn>
DAV svn
SVNParentPath /var/www/domainname/httpsdocs/projects

  AuthType Basic
  AuthName "Subversion Repository Access"
  AuthUserFile /var/www/domainname/private/.xsinfo

</Location>

This looks quite ok doesnt it ?

BUT, when somebody would be smart and guessed a URL .. he could browse
directly to 'https://domainname/projects/<reposname>/<file-to-download>' and
therefore bypass the Location-based authentication (that looks for /svn
instead of /projects in the URL !!) and download the repository files (in
raw database format).

So isn't it best practise to name the last part of the SVNParentPath /
SVNPath exactly the same as the 'Location' directive path ?

Maybe this could be emphasized some more in the manual !
Or am i completely missing the picture here ?

With regards,

Sander.
Received on Tue Jan 17 01:03:40 2006

This message: [ Message body ]
Next message: Lakshman Srilakshmanan: "Subversion hooks directory as a Symbolic link."
Previous message: Russell East: "Solaris svn server: Final line in revision file longer than 64 characters"
Next in thread: Ryan Schmidt: "Re: Security issue when defining wrong location directive in Apache"
Reply: Ryan Schmidt: "Re: Security issue when defining wrong location directive in Apache"
Reply: Phil Endecott: "Re: Security issue when defining wrong location directive in Apache"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]