( Note: This vulnerability also exists for cvs and git-based repositories. Change these instructions appropriately.)

The news of this vulnerability came out a while back, but I spent the afternoon securing a few scarily exploitable sites, so I figured I’d reiterate.

If you store your website in subversion, you leave behind an “.svn” directory in each directory in version control. This directory contains the files in version control with extensions which may not protect them from being downloaded (e.g, site.com/file.php becomes site.com/.svn/text-base/file.php.svn-base ).

To fix this, put the following in your root .htaccess file (or something similar in httpd.conf) for Apache:

<Files ~ “.svn”> Order deny,allow Deny from all </Files>

For nginx:

location ~ /.svn { deny all; }