Bug#512191: marked as done (websvn: WebSVN exposes protected files to users with insufficient permissions)

Sat, 11 Apr 2009 10:40:20 -0700 

Your message dated Sat, 11 Apr 2009 16:47:45 +0000
with message-id <e1lsgmr-0001z9...@ries.debian.org>
and subject line Bug#512191: fixed in websvn 2.0-4+lenny1
has caused the Debian Bug report #512191,
regarding websvn: WebSVN exposes protected files to users with insufficient 
permissions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
512191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512191
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: websvn
Version: 2.0-4
Severity: grave
Tags: security
Justification: user security hole

When WebSVN is configured to use an SVN authz file to check user
permissions, it only lists the repositories to which the user has
been granted authorization (like expected).

However, a malicious (authenticated) user can do an educated guess about
other repositories and alter the WebSVN URL to gain (limited) access to
these repositories.

Example: a user has been granted authorization for repository
"projects", but not to "classified-projects". After logging in to WebSVN
(using some authentication method), WebSVN checks which repositories
should be listed and only lists "projects". The URL to browse this
repository is like this:
  http://websvn.tetra.nl/listing.php?repname=projects

The malicious user can now alter this URL to access the
"classified-projects" repository:
  http://websvn.tetra.nl/listing.php?repname=classified-projects

Although WebSVN refuses to show the directories and files in the
repository (i.e. browsing is quite hard), it does present the links
"compare with previous" and "show changed files". These provide access
to the changelogs and diffs, while the user wasn't suppose to have any
acces to "classified-projects".

Especially in an environment where multiple users share a single server
for their repositories, this behavior is very undesirable and imposes a
security risk.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages websvn depends on:
ii  apache2                   2.2.3-4+etch5  Next generation, scalable, extenda
ii  apache2-mpm-prefork [http 2.2.3-4+etch5  Traditional model for Apache HTTPD
ii  debconf [debconf-2.0]     1.5.11etch1    Debian configuration management sy
ii  libapache2-mod-php5       5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  php5                      5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  po-debconf                1.0.8          manage translated Debconf template
ii  subversion                1.4.2dfsg1-2   Advanced version control system
ii  ucf                       2.0020         Update Configuration File: preserv

Versions of packages websvn recommends:
ii  enscript                      1.6.4-11   Converts ASCII text to Postscript,

-- debconf information:
* websvn/webservers: apache2
* websvn/configuration: true
* websvn/parentpath: /home/svn/repositories
* websvn/repositories:
* websvn/permissions:

--- End Message ---
--- Begin Message --- 
Source: websvn
Source-Version: 2.0-4+lenny1

We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive:

websvn_2.0-4+lenny1.diff.gz
  to pool/main/w/websvn/websvn_2.0-4+lenny1.diff.gz
websvn_2.0-4+lenny1.dsc
  to pool/main/w/websvn/websvn_2.0-4+lenny1.dsc
websvn_2.0-4+lenny1_all.deb
  to pool/main/w/websvn/websvn_2.0-4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <po...@ubuntu.com> (supplier of updated websvn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 14 Feb 2009 16:30:02 +0100
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.0-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Pierre Chifflier <pol...@debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@ubuntu.com>
Description: 
 websvn     - interface for subversion repositories written in PHP
Closes: 508488 512191
Changes: 
 websvn (2.0-4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/12_security_known_path_cve_2009_0240.patch:
     - Backports upstream changes from subversion r635, r636 and r649 to
       fix a security hole where authenticated users can access files
       with known paths. Closes: #512191.
     - Urgency high for the security fix.
     - References: CVE-2009-0240
   * debian/po/es.po:
     - Added Spanish debconf translation, thanks Francisco Javier Cuadrado.
       Closes: #508488.
Checksums-Sha1: 
 2a2a02c893c09c977abd2d240ae127cb345e177c 1291 websvn_2.0-4+lenny1.dsc
 f32e69046626ce3da047617dcd066d304cf4e45d 172005 websvn_2.0.orig.tar.gz
 a55cf7784e37968ce645df393a92b7d957c963cf 21217 websvn_2.0-4+lenny1.diff.gz
 908e7c16f2099f7ac93828d8977fa15da0f4dfd5 194618 websvn_2.0-4+lenny1_all.deb
Checksums-Sha256: 
 a1b703eb036b962341518531a634c659e55edf5d9dc20cb9cc448eb5780433da 1291 
websvn_2.0-4+lenny1.dsc
 38104a86d6a90bb3f18a5b0a957b46cf0c1409037bb2a83c09e9f24543cfa2ea 172005 
websvn_2.0.orig.tar.gz
 080b93d9ef11c4e83cc27ac817a0476910c9df5b9e99abd7af6556909271f299 21217 
websvn_2.0-4+lenny1.diff.gz
 7252b62cada697c9e2140ea31af0283a53cc6281cf6752ae369ee39ff0d37b99 194618 
websvn_2.0-4+lenny1_all.deb
Files: 
 3b2910de66eb35b3650558c2a6b70d74 1291 devel optional websvn_2.0-4+lenny1.dsc
 047e02c0fa2948fdf98a3e348e3f1530 172005 devel optional websvn_2.0.orig.tar.gz
 fec9c4c9173ac5da1e6866b6afdb37ff 21217 devel optional 
websvn_2.0-4+lenny1.diff.gz
 f03bd2f1bf00ee0666368a85faf1a9ef 194618 devel optional 
websvn_2.0-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJl+3AAAoJECIIoQCMVaAc5zAIAJxm47I3p1QlPP0Ik4vGO56c
PNKzg65bSA/YcWnYDSqBjui0N2okvhtYk+NlbuQP8sFZWGsEOU81NUvOP1Dsrx8p
Y0y13K7ytTSkiG6mSHvWQleTrVix7W6hybjg2HXRMMP0RNt93HkUPyc2kvSqyJCu
oHL17nTnPuBUW1uMdrn+BRz/lUlGr0ppokKyy5G2nhcLngUFqnFXeJ9WwE4dmZ5Z
OQH3tA9CXo1LkIgXZ2z/brqmLJfzCEPrhWlKyH2OoW2pzj6c3BSRi5/AcEOqxE3a
bAtkyerX6ONB78kd00hMEFvSD40ViibDkn7mZnhUXKcGjdLHeXP+NbzfDyaD+Ps=
=Fe9H
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to