CVS/SVN user disclosure

Medium Web Application Scanning Plugin ID 98079

Synopsis

CVS/SVN user disclosure

Description

Concurrent Version System (CVS) and Subversion (SVN) provide a method for
application developers to control different versions of their code.

Occasionally, the developer's version or user information can be stored incorrectly
within the code and may be visible to the end user (either in the HTML or code
comments). As one of the initial steps in information gathering, cyber-criminals
will spider a website and using automated methods attempt to discover any CVS/SVN
information that may be present in the page.

This will aid them in developing a better understanding of the deployed
application (potentially through the disclosure of version information), or it
may assist in further information gathering or social engineering attacks.

Using the same automated methods, scanner was able to detect CVS or SVN details
stored within the affected page.

Solution

CVS and/or SVN information should not be displayed to the end user.
This can be achieved by removing this information all together prior to deployment, or by putting this information into a server-side (PHP, ASP, JSP, etc) code comment block, as opposed to an HTML comment.

See Also

http://cwe.mitre.org/data/definitions/200.html

Plugin Details

Severity: Medium

ID: 98079

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information