To .svn and Beyond

A while ago Ron from skullsecurity.net blogged about the .git directory. It was interesting to read this because I recently noticed the same about the .svn directory.

Ron wrote that the .git directory is full of useful stuff. This is the same for the .svn (working copy) directory. I’m pretty sure others have noticed this about the .svn directory to. But I haven’t really found a post or a tool that does the same. And if there is, than I just needed a bad excuse to write a new tool :P (we all know that feeling where you just feel like coding something cool).

The .svn working copy directory is a directory that is used by SVN to manage the local working copy of a repository. You’ll find the .svn directory on the machine of developers or other people who commit or checkout code to the SVN server. Because the ‘dot’ directories are not shown by default on a UNIX system via the ‘ls’ command, these directories can be overlooked quite easily. A possible method to deploy new code is to do a checkout and this gets deployed to the server. When the .svn directory is not dealt with an attacker can use this to gather information or – depending on the type of files – download valuable content.

Note: during this post I’m only talking about what happens when the .svn directory gets deployed on a webserver.

Because the .svn directory is deployed with the rest of the application the .svn directory will be accessible via the web. At first the directory doesn’t look that interesting at all, until I looked at ‘wcprops-all’. This file contains file names of files that are in the SVN respository. On there own, file- and directory-names are just useful for info-gathering. But, the under laying directories contain the content of the files listed in wcprops-all. This creates a valuable resource for us when performing a pentest, both during information gathering and a possible attack scenario as well. The reason being is, its is likely database dumps or other critical files are kept in SVN.

Do remember that this method relies on files that are already in the SVN. The files listed in the ‘wcprops-all’ file should all be on the webserver but some files are not linked to via URL’s on the webpages. So this method is great for finding “hidden” files. With “hidden” I mean that some developers will check-in database backups or other valuable files into SVN to keep track of changes. With a little luck you can find these files ;)

The .svn directories are very simple to find using the following googl-dork:

".svn" intitle:"Index of" site:

I wrote a script that allows you to download the content of the .svn directory. You can download the script at: ‘https://github.com/damnsecure/FlowerMonkey

git pull https://github.com/damnsecure/FlowerMonkey.git

The script is very easy to use. Just provide it with a URL and let the script do its work. See the git page (README.md) for more info.

  • Remember, this tool only downloads the provided url (direct path inc folder) and the discovered files in the .svn directory. This script does NOT crawl any underlying directories of the website.

So what can you do about it? The solution is very easy. There are multiple methods but I think the following two are the most useful:

  1. Remove the .svn directory when deploying your application. Easy right ;)

  2. Deny access to the .svn directories.

You can do this by adding the following to your httpd.conf or .htaccess files:

    Deny From All

[edit] Also redirecting it to a 404 page is a possibility:

RedirectMatch 404 /\\.svn(/|$)

[/edit]

As described in Ron’s post the .git directory allows you to do a new checkout. I haven’t tested this with the .svn directory but I see no reason why this shouldn’t work. This could actually be even a better way of obtaining files (including source code) of a web application. But again, I have not tested this. If somebody did please do let me know. Either way, I’ll get back on you on this topic I think. Even if this works, it is still possible the SVN server is hosted on an internal server making a straight checkout impossible. This is where this tool is useful.

But for now, cheers and stay warm, Ruben.

[edit] I also just found a metasploit module that does about the same as my script. The module is called: “svn_scanner” and can be found at: http://dev.metasploit.com//redmine/projects/framework/repository/revisions/master/raw/modules/auxiliary/scanner/http/svn_scanner.rb [/edit]

Comments