Source codes of 3300 global Internet projects have been received
Couple of months back we (2Comrades and Anton Isajkin) had been found out the vulnerability inherent in basic big in the Internet projects (like a Rambler, the Mail, Yandex, the Opera and so forth). It was possible to get access to file structures of the famous sites (in total 3320 sites) and in some cases their full initial codes.
It would seem that it is difficult to find similar vulnerability in the XXI-st century. It seems that all is already found, and that that is not found, sits somewhere very much very deeply. It has appeared that a root of today’s harm is quite daily thing. For certain each of you sometime dealt with the monitoring system of versions SVN.
SVN is the advanced means for the organisation of joint working out of tens, and even hundreds developers. Owing to features of architecture, SVN stores in each directory of the project the metafiles accurately combined in a latent directory .svn. In one of files under the name entries there is a list of all files and the directories located in the same folder, as.svn. As there there is an information on a repository arrangement, the size of files, dates of their change and logins of the users working over the project. Not so badly, the truth? I will explain, it turns out, if the project is developed by means of SVN having glanced to the address draftcopy.ru/.svn/entries we we will see file structure of a root of the project with authors, last changes, the reference to the basic branch of a repository and so forth.
But it is possible to go and further. In the same folder.svn is директори text-base in which last versions of all files which are in a repository lie. A picture supplements as also that files have not standard expansion (for example.php) which allows to send at once them on the interpreter, and additional expansion.svn-base thanks to which the file is given to the person who has requested it «as there is», i.e. a naked initial code!
draftcopy.ru/.svn/text-base/index.php.svn-base
It is necessary to notice that the described picture is ideal and though it and was that in most cases, nevertheless the big percent of initial codes did not manage to be received for whatever reasons.
For the first time having realised that the found out vulnerability is inherent in the majority of projects last nine years, has been decided to scan completely рунет to look than there live Internet projects and to receive the interesting statistics. But before history about that as it was, it is necessary to tell to grey-haired administrators how to be protected from similar …
Protection against vulnerability
Vulnerability can be bypassed several ways. The way to a forehead — to forbid to address to metadirectories SVN on 80th port, i.e. web server means.
The decision for nginx
location ~/.svn/{
deny all;
}
Global locations in nginx is not present, therefore need to sign for everyone server areas. That the rule was valid, it is necessary to load it to others locations with regular expression. A universal way — by the first location.
The decision for Apache
<Directory ~ ".*\.svn">
Order allow, deny
Deny from all
Satisfy All
</Directory>
Here is a bit easier, we finish it in httpd.conf and on all projects under management apache reading from a directory.svn will be inaccessible.
The decision for SVN-way
Protection against vulnerability web server means — illness treatment. Any doctor will tell that preventive maintenance easier, easier and less затратней, than treatment. Therefore the best the decision will be absence of these metadirectories in a project root. To achieve it it is possible means svn export from the basic branch.
Research history
As it has already been told, it has been decided to scan all RUnet on presence of similar vulnerability. Have been lifted a proxy-server, it is written парсер and the fresh base of domains in a zone ru is received. The first version of a script worked two weeks, receiving a site behind a site in one stream. To scanning end, the base totaled more than 3000 vulnerable sites and occupied more than hundred гигабайт initial codes.
Problem of the first scanning was that were downloaded all sources without analysis, is not dependent on that, they gave 200 or 500 code, as ended a graphisc and js-scripts. And as often a web server have been adjusted to give thus 200 code even if a file on most has put was absent.
The second version of a script was already more bright, worked in some streams from two server cars and correctly distinguished codes of the answer contents of the received pages. We have bypassed all RUnet for 4 days. The base of .com was the further plans. It became obvious that at current resources detour would be executed at least for couple of years (the zone com now totals more than 700 million domains (against 2 million ru)).
To affairs excellent si-programmer Andrey Saterenko who has written a fast demon which would manage in to reduce our time expenses few times has been involved. But, unfortunately, by this moment the summer has come to an end, great load come at work. Grandiose plans it has been decided to curtail.
Before to publish openly information on vulnerability, it was necessary to warn all victims. First of all letters have been dispatched giants (yandex.ru, rambler.ru, mail.ru, opera.com, rbc.ru, 003.ru, bolero.ru, habrahabr.ru, total 19 addresses), then, at today’s night, letters have received the others 3000 + sites.
Release of this article has been detained by expectation while opera.com will close vulnerability on all servers.
It is a little statistics:
Scanned domains: 2253388
The vulnerable: 3320
Statisticans under notifications while are not present, it will be possible is published in couple of weeks. From large portals, six have answered. Yandex has appeared the most operative, having sent the reciprocal letter at night on Sunday. Ten projects have not reacted in any way to our letters, three projects have closed vulnerability without having thanked.
We not vindictive, we will write down their names …
Some the interesting facts:
Cybersqwatters have grown fond SVN, as well as optimizers;
Uniform CSS for calendars by Yandex gathers from ten CSS by $make from the console 0_0;
On Rambler projects use Yandex services 0_0, files of "domain acknowledgement» for Yandex services are found;
RBC uses both Yandex and Google services and very much love "difficult" passwords;
The opera respects MySQL, but a site at them on naked html with real directories and subdirectories;
The blonde respects CodeIgniter;
PostgreSQL respect a cursor wikimedia => PostgreSQL respect MySQL 😉
All projects of Futuriko (and Lepra) are written on perl.
Order of 10 sites with words in the type domain «hack» and «secure» are vulnerable;
Many are assured that naming a directory with phpmyadmin approximately «__ xpma123uff __» but having kept the password in a config, => it is a "good" protection;
Many store till now configs in inc files, without expansion.php which open as the text in a browser.
For you tried 2Comrades (mobilz) and Anton Isajkin (oowl, twi).
We are ready to cooperation 😉
P.S. In avoidance of conflicts all initial codes received for time of research were printed and are burnt 🙂
P.S.S. Two points:
All who could suffer, have received preventions of vulnerability with exact date of promulgation in advance.
No initial codes under no circumstances will be published or sold. It is not necessary to write to us about it.
P.P.P.S. Thanks for assistance to Habra-user oowl.
P.P.P.P.S. Any sources the most search mechanism of Yandex it has not been received, roots a web of a muzzle of some resources however have been received. Imposition, xmlapi, xsl templates….. Anything serious, unless all addresses of repositories, logins of developers and so on.
Igor Sysoyev, the leading system administrator of the company a Rambler, the developer of a web server known for the ease nginx has answered pair our questions:
Q: why at once so much known projects have neglected such elementary possibility of leak?
A: the Reasons, I think, much — someone considers that in .svn all lies the same, accessible and without .svn. Someone, probably, simply did not know or has forgotten about .svn.
Q: whether It is planned to bring in nginx possibility globally перенаправлять URL (to the instruction server that it was possible to block at once at adjustment potentially dangerous addresses)?
A: No. I consider that global options finally lead to a configuration which is more difficult for accompanying each time all.
Dima Panov (fluffy@) - FreeBSD Committer 