<a></a>
The vulnerability can be avoided in several ways. The path on the forehead - block access to SVN metadirektoriyam 80th port, ie, means of a web server.
The solution for nginx
<code>Location ~ /. svn / { deny all; }</code>
Global lokeyshenov in nginx `e do not, so will have to sign for each server region. To rule took effect, you must download it to other lokeyshenov the regular expression. Universal way - the first lokeyshenom.
The solution for Apache
<code><Directory ~ ".*\.svn"> Order allow, deny Deny from all Satisfy All </ Directory></code>
Then a little easier, we finish it in httpd.conf and all projects are running apache read from the directory. svn is not available.
The decision means SVN
<b>Crawled Domain:</b> 2253388 <b>Vulnerable:</b> 3320 Statistics on alerts yet, maybe it will be published in a couple of weeks. Of the major portals, six responded. Yandex was the most expeditious, by sending an e-mail Sunday night. Ten projects did not have responded to our letters, three projects have closed the vulnerability without thanking. We are not vindictive, we write their names ...
Cybersquatters to love SVN, as well as optimizers;
CSS for a single calendar Yandex is collected from a dozen CSS sredstami $ make from the console 0_0;
On projects use the services of Yandex Rambler 0_0, files were found "proof of the domain" for Yandex services;
RBC uses and services of Yandex and services of Google and are very fond of "complex" passwords;
Opera respects the MySQL, but the site they have to bare with the actual html directories and subdirectories;
Blonde respects CodeIgniter;
PostgreSQL respected engine wikimedia => PostgreSQL MySQL ;-) respect errors ;-(
All projects Futuriko (and Leprosy) are written in perl.
About 10 sites with the words in the domain of type «hack» and «secure» vulnerable;
Many believe that naming a directory phpmyadmin about «__xpma123uff__» but to save the password in the configuration, it is a good defense;
Many still keep in config inc files with no extension. Php, which opened as a text in your browser.
We are willing to cooperate;) PS In order to avoid conflicts all sources received during the study were raspechatanny and burned :-) PSS two points:
absolutely everything, who could suffer, received warnings about the vulnerability of the exact date of publication <b>in advance</b> .
No source code in any way will not be published or sold. It is not necessary to write to us about it.
<b>Q:</b> Why do so many well-known projects at once ignored such elementary leakage? <b>A:</b> The reasons why I think a lot - someone said that. svn is all the same, affordable and without. svn. Someone probably just did not know or forgot about. Svn.
<b>Q:</b> Do you plan to make to the possibility of globally nginx redirect URL (before the directive server, so you can immediately block when setting up a potentially dangerous addresses)? <b>A:</b> No. I believe that the global setting in the end lead to a configuration that each time more and more difficult to maintain.
本文轉hackfreer51CTO部落格,原文連結:http://blog.51cto.com/pnig0s1992/767863,如需轉載請自行聯系原作者
![vue搭建過程及出現問題[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)