Ticket #1484066 (new Patches)
SVN checkout and .htaccess
| Reported by: | bobtfish | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | later |
| Component: | Security issue | Version: | 0.1-beta |
| Severity: | minor | Keywords: | security htaccess |
| Cc: | bobtfish@… |
Description
The .htaccess files in roundcube stop access to some files, but not to all.
If you are using a subversion checkout of roundcube then it is possible to browse all the svn metadata. This isn't a problem for me, as I use svk, but it will be for someone else before long ;)
Being able to view files like the CHANGELOG could also be quite dangerous as it gives hackers a trivial way to fingerprint which version of RoundCube you are using.
I have a patch for this issue (generated by svk) at http://mail.bobtfish.net/roundcube-htaccess.patch. I hope this format is acceptable to you. Unfortunatly, this patch adds an additional dependency to mod_rewrite as I couldn't find / think of another way to deny access to all .svn directories from a .htaccess file.
Cheers Tom
