* Joachim Breitner: >> This is an unfortunate interaction between scponly and Subversion, but >> not a real bug in any of the programs. The same problem arises when a >> scponly-restricted user uploads any form of executable contents. CGI >> scripts are more common (and their so-called "PHP shells" which are >> explicitly designed to exploit this). > > I think it’s more than that. If I upload some executable, I still have > to find a way to actually execute it (e.g. a badly configured web > server). Using subversion, I execute anything in _any case_, making > scponly useless for it’s purpose.
You need write permission on the Subversion repository. I think it's pretty obvious that you can change the Subversion hook scripts once you've got them. There are tons of programs which will lead to a similar situation--basically anything that reads a user-specific configuration file.
