Package: websvn Version: 2.0-4 Severity: grave Tags: security Justification: user security hole
When WebSVN is configured to use an SVN authz file to check user permissions, it only lists the repositories to which the user has been granted authorization (like expected). However, a malicious (authenticated) user can do an educated guess about other repositories and alter the WebSVN URL to gain (limited) access to these repositories. Example: a user has been granted authorization for repository "projects", but not to "classified-projects". After logging in to WebSVN (using some authentication method), WebSVN checks which repositories should be listed and only lists "projects". The URL to browse this repository is like this: http://websvn.tetra.nl/listing.php?repname=projects The malicious user can now alter this URL to access the "classified-projects" repository: http://websvn.tetra.nl/listing.php?repname=classified-projects Although WebSVN refuses to show the directories and files in the repository (i.e. browsing is quite hard), it does present the links "compare with previous" and "show changed files". These provide access to the changelogs and diffs, while the user wasn't suppose to have any acces to "classified-projects". Especially in an environment where multiple users share a single server for their repositories, this behavior is very undesirable and imposes a security risk. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-xen-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages websvn depends on: ii apache2 2.2.3-4+etch5 Next generation, scalable, extenda ii apache2-mpm-prefork [http 2.2.3-4+etch5 Traditional model for Apache HTTPD ii debconf [debconf-2.0] 1.5.11etch1 Debian configuration management sy ii libapache2-mod-php5 5.2.0-8+etch13 server-side, HTML-embedded scripti ii php5 5.2.0-8+etch13 server-side, HTML-embedded scripti ii po-debconf 1.0.8 manage translated Debconf template ii subversion 1.4.2dfsg1-2 Advanced version control system ii ucf 2.0020 Update Configuration File: preserv Versions of packages websvn recommends: ii enscript 1.6.4-11 Converts ASCII text to Postscript, -- debconf information: * websvn/webservers: apache2 * websvn/configuration: true * websvn/parentpath: /home/svn/repositories * websvn/repositories: * websvn/permissions: -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
