Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
Hi, Thank you for your work. I have uploaded the lenny version to stable-security, with one further addition: added the CVE entries for previous updates to the changelog. When we can release this update, it will automatically propagate to testing and unstable since versions are equal. Pierre, when making a new upload of 2.1.x, please ensure that all CVE entries included in the current package changelog are copied into your new version. cheers, Thijs signature.asc Description: This is a digitally signed message part.
Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
Package: websvn Version: 2.0-4 Severity: grave Tags: security Justification: user security hole When WebSVN is configured to use an SVN authz file to check user permissions, it only lists the repositories to which the user has been granted authorization (like expected). However, a malicious (authenticated) user can do an educated guess about other repositories and alter the WebSVN URL to gain (limited) access to these repositories. Example: a user has been granted authorization for repository projects, but not to classified-projects. After logging in to WebSVN (using some authentication method), WebSVN checks which repositories should be listed and only lists projects. The URL to browse this repository is like this: http://websvn.tetra.nl/listing.php?repname=projects The malicious user can now alter this URL to access the classified-projects repository: http://websvn.tetra.nl/listing.php?repname=classified-projects Although WebSVN refuses to show the directories and files in the repository (i.e. browsing is quite hard), it does present the links compare with previous and show changed files. These provide access to the changelogs and diffs, while the user wasn't suppose to have any acces to classified-projects. Especially in an environment where multiple users share a single server for their repositories, this behavior is very undesirable and imposes a security risk. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-xen-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages websvn depends on: ii apache2 2.2.3-4+etch5 Next generation, scalable, extenda ii apache2-mpm-prefork [http 2.2.3-4+etch5 Traditional model for Apache HTTPD ii debconf [debconf-2.0] 1.5.11etch1Debian configuration management sy ii libapache2-mod-php5 5.2.0-8+etch13 server-side, HTML-embedded scripti ii php5 5.2.0-8+etch13 server-side, HTML-embedded scripti ii po-debconf1.0.8 manage translated Debconf template ii subversion1.4.2dfsg1-2 Advanced version control system ii ucf 2.0020 Update Configuration File: preserv Versions of packages websvn recommends: ii enscript 1.6.4-11 Converts ASCII text to Postscript, -- debconf information: * websvn/webservers: apache2 * websvn/configuration: true * websvn/parentpath: /home/svn/repositories * websvn/repositories: * websvn/permissions: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
* Bas van Schaik: When WebSVN is configured to use an SVN authz file to check user permissions, it only lists the repositories to which the user has been granted authorization (like expected). Thanks. Has this been reported anywhere else? Do we still need contact upstream about this? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
Florian Weimer wrote: * Bas van Schaik: When WebSVN is configured to use an SVN authz file to check user permissions, it only lists the repositories to which the user has been granted authorization (like expected). Thanks. Has this been reported anywhere else? Do we still need contact upstream about this? I didn't contact upstream about it, I just found out last night. Would you like me to contact upstream, or will you take care of it? -- Bas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
I've just downloaded the WebSVN 2.1 tarball and it is not vulnerable for this issue. Therefore, reporting to upstream doesn't make any sense... However, WebSVN 2.0 will appear in Lenny. I think the fix should be backported to 2.0 or Lenny should contain WebSVN 2.1. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
* Bas van Schaik: I've just downloaded the WebSVN 2.1 tarball and it is not vulnerable for this issue. Therefore, reporting to upstream doesn't make any sense... However, WebSVN 2.0 will appear in Lenny. I think the fix should be backported to 2.0 or Lenny should contain WebSVN 2.1. Probably, yes, although the severity is somewhat debatable. etch is not affected because that WebSVN version does not implement authentication. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org