On 02.09.2007, at 18:29, Florian Weimer wrote:
* Joachim Breitner:
This is an unfortunate interaction between scponly and
Subversion, but
not a real bug in any of the programs. The same problem arises
when a
scponly-restricted user uploads any form of executable contents.
CGI
scripts are more common (and their so-called "PHP shells" which are
explicitly designed to exploit this).
I think it’s more than that. If I upload some executable, I still
have
to find a way to actually execute it (e.g. a badly configured web
server). Using subversion, I execute anything in _any case_, making
scponly useless for it’s purpose.
You need write permission on the Subversion repository. I think it's
pretty obvious that you can change the Subversion hook scripts once
you've got them.
But you can upload a private repository, trigger the hook
and remove it afterwards.
I believe this is a real security problem, and I'm not
quite sure how to fix this without disabling subversion
support. But granted, I wouldn't call it a bug, too.
It's no flaw in any of the programs involved, rather it
is a constellation noone thought of before.
There are tons of programs which will lead to a similar
situation--basically anything that reads a user-specific
configuration file.
Well, reading a file is harmless compared to running
arbitrary scripts.
Tom
