[walesmd]

This isn't really a vulnerability - just developers not doing their job. Anyone who uses SVN (or any other version management system, for that matter) should know how it works.

I know SVN creates these hidden directories (named .svn) within every directory of my project that contains the working copies of the files within that directory. Therefore I either use export (to not upload the hidden folders) or I make them not accessible to the public via .htaccess.

Saying this is a vulnerability is like telling someone copying/pasting their code into a Pastie is a vulnerability. Common sense.

[peterwwillis]

People mis-configure Apache all the time. They leave their site wide open for attack. They're vulnerable.

Saying it's not a vulnerability when 3,000 sites all have their source code visible to the world is like having your arm chopped off and saying "no it isn't, it's just a flesh wound."

I know it's not a cool remote root buffer overflow exploit hat trick 540 front side flip, but it's a security hole which people need to be educated about.

[walesmd]

But Apache isn't misconfigured in this instance - a file was uploaded and people are claiming that being able to view that file is a vulnerability.

I guess it is a vulnerability of the same standard as "My password is: password".

I just don't understand why everyone is up-in-arms and so surprised by this "vulnerability." It's common sense...