Unprotected SVN directory
Unauthorized people may have access to your Subversion directory.
Details:
In order to develop the program code of a store system and to keep track of it, many developers use so-called version control systems. One of these systems is Subversion, also called SVN for short.
Version control systems store information and the contents of most files within the store installation directory, in order to be able to pursue and if necessary undo changes at the program code. To make this possible, Subversion stores metadata in a special directory, typically located within the program directory. This directory has the name .svn
.
The files in the .svn
directory contain a complete copy of your store's program code. This alone allows a potentially targeted attacker to find vulnerabilities in the programming to break into your store or spy on your customers. Often, however, direct access data (e.g. to the store database) or to external systems such as merchandise management or a customer support platform can be found among the files in the store installation directory. In such a case, it would be possible to gain direct access to the relevant areas and read out data, manipulate it or perform unauthorized actions in it.
Solution
The possible protective measures against this security risk must prevent access to the .svn
directory and the files it contains. You can do this as follows:
Do not place the directory on the web server.
Do not place the .svn
directory on the cluster or delete it immediately after a deployment. The directory is only necessary if you want to actively work with the version control system, e.g. make updates to it from the server. We recommend to work actively only on staging or development environments instead. This way you can do without the .svn
directory on your production cluster.
Preventing access to the .svn
directory
If you cannot do without the directory, access to it must be prevented via the web server. Depending on the active web server, access protection can be implemented as follows:
Example: Apache
When using Apache, Subversion directories can be protected via the .htaccess
configuration file. This protection applies to the directory in which this file is located as well as to all directories below it. Edit an existing .htaccess
file in the htdocs
directory or create the file if it does not exist. Then add - preferably at the beginning - the following lines.
# block access to directories named ".svn
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (^|/)\.svn/ - [F,L]
</IfModule>
Example: NGINX
When using NGINX, the protection must be built into the configuration of the affected domain. For this, use our application templates for Magento 1, Magento 2 or Shopware, in which the protection of the .svn
directory is already integrated.
Alternatively, you can add the following line to userdefined.conf
via the rule editor of the affected domain.
# block access to directories named ".svn
location ~* /\.svn/ { return 403; }
Further recommended actions
- Also protect the directories of the version control system Git as well as the MacOS files
.DS_Store
from unauthorized access. - Protect folders with log files (for Magento
var/log
) as well as configuration files (for Magentoapp/etc
). - When using Apache, check in an existing
.htaccess
file, if access to corresponding directories or files is blocked. Also in the directories to be protected themselves may contain.htaccess
files. - When using NGINX, use our application templates, which already protect many application-specific folders and files.