For versioning software I use subversion and when comes time to publish changes I just update the production branch and voilà the website’s update to the latest changes / fixes. The problem is that having a checkout copy in my document root by default exposes the .svn hidden directory and all its files.
Some of the info you can get out of .svn directory:
- path to subversion directory
- username used to checkout the copy
- list of all other files in the same directory
I’ve used this simple fix to circumvent this problem.
I’ve simply added this directive to my apache configuration file:
<DirectoryMatch "^/.*/(\.svn)/"> Order deny,allow Deny from all </DirectoryMatch>
That solved the problem for me.
To test if your checked-out files are vulnerable just add .svn/entries (e.g. http://geekpad.ca/blog/.svn/entries) to the url of a directory and if you get a plain text document with a listing of all your files, versions, etc. then your files are exposed and should add the directives above.