SecurityTracker.com Archives - Subversion mod_authz_svn Lets Remote Authenticated Users View Restricted Sections

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Subversion

Vendors: subversion.tigris.org

Subversion mod_authz_svn Lets Remote Authenticated Users View Restricted Sections

SecurityTracker Alert ID: 1010779

SecurityTracker URL: http://securitytracker.com/id?1010779

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 26 2004

Impact: Disclosure of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 1.0.5 and prior versions

Description: A vulnerability was reported in Subversion in mod_authz_svn. A remote authenticated user can view portions of the repository that they are not authorized to access.

The vendor reported that a remote authenticated user with write access privileges to the repository can view portions of the repository that they are not authorized to view.

A remote authenticated user can invoke mod_authz_svn to copy portions of a repository and then read the copied portion.

This vulnerability does not affect svnserve, the vendor said.

Impact: A remote authenticated user with write privileges can view portions of the repository that they are not authorized to view.

Solution: The vendor has released fixed versions (1.0.6, 1.1.0-rc1), available at:

http://subversion.tigris.org/project_packages.html

Vendor URL: subversion.tigris.org/security/mod_authz_svn-copy-advisory.txt (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Jul 27 2004

(Gentoo Issues Fix) Subversion mod_authz_svn Lets Remote Authenticated Users View Restricted Sections ("Joshua J. Berry" <condordes@gentoo.org>)
Gentoo has released a fix.

Source Message Contents

Date: Mon, 26 Jul 2004 12:51:40 -0400
Subject: http://subversion.tigris.org/security/mod_authz_svn-copy-advisory.txt

 

http://subversion.tigris.org/security/mod_authz_svn-copy-advisory.txt

Subversion versions up to and including 1.0.5 have a bug in
mod_authz_svn that allows users with write access to read
portions of the repository that they do not have read access
to.  Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
vulnerable to this issue.

Details:
========

mod_authz_svn would allow a user to copy portions of a repo to which
they did not have read permissions to portions that they did have
read permissions on, thereby evading the read restrictions.

Severity:
=========

This is a low risk issue.  Only sites running mod_authz_svn (an
Apache module) that are trying to restrict some of their users
with write access to a repo from reading part of that repo are
vulnerable.

Most installations will not fall into this category.
Additionally, any attempt to use such a vulnerability will be
apparent as the copy will be versioned.  Plus, it's doubtful
any site would permit public write access to its repository
so this issue should not be accessible by unauthenticated users.

This vulnerability does not affect users running svnserve.

Workarounds:
============

* Disable DAV and use svnserve.

* Separate content into different repos.

* Disable the COPY method via Apache configuration.  Note this will
   disallow all copies.

Recommendations:
================

We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC