ISSUE: New - SECURITY: include directory unprotected from source code disclosure

h
ttp://websvn.tigris.org/issues/show_bug.cgi?id=109
                 Issue #|109
                 Summary|SECURITY: include directory
unprotected from source co
                        |de disclosure
               Component|websvn
                 Version|trunk
                Platform|All
              OS/Version|All
                     URL|
                  Status|NEW
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|DEFECT
                Priority|P3
            Subcomponent|Unknown
             Assigned to|issueswebsvn
             Reported by|olo






------- Additional comments from olotigris.org Tue Nov  7
05:07:40 -0800 2006 -------
The default setup of WebSVN, done along the instruction in
install.txt leaves a
serious security hole:

All the *.inc files that reside in the include/ directory
aren't protected from
viewing. In default Apache+PHP configurations, those files
are simply served as
text/plain.

So any user can navigate to e.g. https://
servername/websvn/include/config.inc
and read the configuration directives, including repository
definitions, which
can contain plain text passwords if remote repositories are
configured!