Observium Apache Subversion Module Metadata accessible via HTTP......!
Dear Team, We found following vulnerability in our observium tool :-
Vulnerability Detection Result :-
We found that Everybody can access/read '.svn/entries'. using https://<observium-url/.svn/entrieshttps://%3cobservium-url/.svn/entries Details: Apache Subversion Module Metadata Accessible OID:1.3.6.1.4.1.25623.1.0.105099
But we checked at Observium Apache Server and found that we have not Load any module for Subversion.
So, Please suggest how to solve this vulnerability and if I delete or move .svn folder Will it impact to my running observium?
.... With Best Regards, Chaman Rathee Mob. No. :- 9560055816
[Fabrikam]
Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), please delete this message and kindly notify the sender by an emailed reply. Opinions, conclusions and other information in this message that do not relate to the official business of Progression and its associate entities shall be understood as neither given nor endorsed by them.
Den 2015-09-09 kl. 07:59, skrev Chaman Rathee:
Vulnerability Detection Result :-
We found that Everybody can access/read '.svn/entries'. using https://<observium-url/.svn/entrieshttps://%3cobservium-url/.svn/entries Details: Apache Subversion Module Metadata Accessible OID:1.3.6.1.4.1.25623.1.0.105099
So, Please suggest how to solve this vulnerability and if I delete or move .svn folder Will it impact to my running observium?
Add this to your apache config:
<directorymatch "^/.*/.svn/"> Order deny,allow Deny from all </directorymatch>
/niklas
On 09.09.15 8:59, Chaman Rathee wrote:
Dear Team,
We found following vulnerability in ourobservium tool :-
Vulnerability Detection Result :-
We found that Everybody can access/read '.svn/entries'. using https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entries
What you see by these url? (https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entries)
Normally if you use apache and mod_rewrite enabled and observium installed as described in official docs, you can not see content of this file (and .svn dir).
Details:Apache Subversion Module Metadata Accessible
OID:1.3.6.1.4.1.25623.1.0.105099
But we checked at Observium Apache Server and found that we have not Load any module for Subversion.
So, Please suggest how to solve this vulnerability and if I delete or move .svn folder Will it impact to my running observium?
….
With Best Regards,
Chaman Rathee
Mob. No. :- 9560055816
Fabrikam
Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), please delete this message and kindly notify the sender by an emailed reply. Opinions, conclusions and other information in this message that do not relate to the official business of Progression and its associate entities shall be understood as neither given nor endorsed by them.
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
I have just discovered on our server, we can all view this page too, even externally…
i have checked the .htaccess and it doesn’t appear to have anything in there of hide the .svn
maybe add it in a commit :)
Simon
On 9 Sep 2015, at 9:58 am, Mike Stupalov mike@observium.org wrote:
On 09.09.15 8:59, Chaman Rathee wrote:
Dear Team, We found following vulnerability in our observium tool :-
Vulnerability Detection Result :-
We found that Everybody can access/read '.svn/entries'. using https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entriesWhat you see by these url? (https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entries)
Normally if you use apache and mod_rewrite enabled and observium installed as described in official docs, you can not see content of this file (and .svn dir).
Details: Apache Subversion Module Metadata Accessible OID:1.3.6.1.4.1.25623.1.0.105099
But we checked at Observium Apache Server and found that we have not Load any module for Subversion.
So, Please suggest how to solve this vulnerability and if I delete or move .svn folder Will it impact to my running observium?
…. With Best Regards, Chaman Rathee Mob. No. :- 9560055816
Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), please delete this message and kindly notify the sender by an emailed reply. Opinions, conclusions and other information in this message that do not relate to the official business of Progression and its associate entities shall be understood as neither given nor endorsed by them.
observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
-- Mike Stupalov http://observium.org http://observium.org/_______________________________________________ observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On 2015-09-09 10:58, Mike Stupalov wrote:
On 09.09.15 8:59, Chaman Rathee wrote:
Dear Team,
We found following vulnerability in our observium tool :-Vulnerability Detection Result :-
We found that Everybody can access/read '.svn/entries'. using https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entries
What you see by these url? (https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entries)
Normally if you use apache and mod_rewrite enabled and observium installed as described in official docs, you can not see content of this file (and .svn dir).
I can see it on my installs (tested before comment on irc) so I'm pretty sure something is missing...
Tom
On 09.09.15 12:21, Tom Laermans wrote:
On 2015-09-09 10:58, Mike Stupalov wrote:
On 09.09.15 8:59, Chaman Rathee wrote:
Dear Team,
We found following vulnerability inour observium tool :-
Vulnerability Detection Result :-
We found that Everybody can access/read '.svn/entries'. using https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entries
What you see by these url? (https://<observium-url/.svn/entries https://%3cobservium-url/.svn/entries)
Normally if you use apache and mod_rewrite enabled and observium installed as described in official docs, you can not see content of this file (and .svn dir).
I can see it on my installs (tested before comment on irc) so I'm pretty sure something is missing...
This actual only for why used old svn with old (non-sqlite) format..
Tom
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Chaman,
This isn't really that much of a security issue, since it's *our* SVN data, rather than *your* SVN data. There's nothing useful in there, and anyone can get an identical copy of the metadata by just downloading our code from our SVN server!
If you delete or move the .svn folders you'll no longer be able to update, since this is metadata used by SVN.
We've blocked dot files in the latest revision using .htaccess, which will make this warning go away.
adam. On 09/09/2015 06:59:24, Chaman Rathee chaman.rathee@progression.com wrote: Dear Team, We found following vulnerability in our observium tool :- Vulnerability Detection Result :- We found that Everybody can access/read '.svn/entries'. using https://<observium-url/.svn/entries [https://%3cobservium-url/.svn/entries] Details: Apache Subversion Module Metadata Accessible OID:1.3.6.1.4.1.25623.1.0.105099 But we checked at Observium Apache Server and found that we have not Load any module for Subversion. So, Please suggest how to solve this vulnerability and if I delete or move .svn folder Will it impact to my running observium? …. With Best Regards, Chaman Rathee Mob. No. :- 9560055816
[Fabrikam] Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), please delete this message and kindly notify the sender by an emailed reply. Opinions, conclusions and other information in this message that do not relate to the official business of Progression and its associate entities shall be understood as neither given nor endorsed by them.
participants (6)
-
Adam Armstrong -
Chaman Rathee -
Mike Stupalov -
Niklas Larsson -
Simon Smith -
Tom Laermans