Bug#512191: marked as done (websvn: WebSVN exposes protected files to users with insufficient permissions)

Debian Bug Tracking System Wed, 25 Feb 2009 08:15:31 -0800

Your message dated Wed, 25 Feb 2009 15:22:05 +0000
with message-id <e1lclah-0005db...@ries.debian.org>
and subject line Bug#512191: fixed in websvn 2.1.0-1
has caused the Debian Bug report #512191,
regarding websvn: WebSVN exposes protected files to users with insufficient 
permissions
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
512191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512191
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: websvn
Version: 2.0-4
Severity: grave
Tags: security
Justification: user security hole

When WebSVN is configured to use an SVN authz file to check user
permissions, it only lists the repositories to which the user has
been granted authorization (like expected).

However, a malicious (authenticated) user can do an educated guess about
other repositories and alter the WebSVN URL to gain (limited) access to
these repositories.

Example: a user has been granted authorization for repository
"projects", but not to "classified-projects". After logging in to WebSVN
(using some authentication method), WebSVN checks which repositories
should be listed and only lists "projects". The URL to browse this
repository is like this:
  http://websvn.tetra.nl/listing.php?repname=projects

The malicious user can now alter this URL to access the
"classified-projects" repository:
  http://websvn.tetra.nl/listing.php?repname=classified-projects

Although WebSVN refuses to show the directories and files in the
repository (i.e. browsing is quite hard), it does present the links
"compare with previous" and "show changed files". These provide access
to the changelogs and diffs, while the user wasn't suppose to have any
acces to "classified-projects".

Especially in an environment where multiple users share a single server
for their repositories, this behavior is very undesirable and imposes a
security risk.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages websvn depends on:
ii  apache2                   2.2.3-4+etch5  Next generation, scalable, extenda
ii  apache2-mpm-prefork [http 2.2.3-4+etch5  Traditional model for Apache HTTPD
ii  debconf [debconf-2.0]     1.5.11etch1    Debian configuration management sy
ii  libapache2-mod-php5       5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  php5                      5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  po-debconf                1.0.8          manage translated Debconf template
ii  subversion                1.4.2dfsg1-2   Advanced version control system
ii  ucf                       2.0020         Update Configuration File: preserv

Versions of packages websvn recommends:
ii  enscript                      1.6.4-11   Converts ASCII text to Postscript,

-- debconf information:
* websvn/webservers: apache2
* websvn/configuration: true
* websvn/parentpath: /home/svn/repositories
* websvn/repositories:
* websvn/permissions:

--- End Message ---

--- Begin Message ---

Source: websvn
Source-Version: 2.1.0-1

We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive:

websvn_2.1.0-1.diff.gz
  to pool/main/w/websvn/websvn_2.1.0-1.diff.gz
websvn_2.1.0-1.dsc
  to pool/main/w/websvn/websvn_2.1.0-1.dsc
websvn_2.1.0-1_all.deb
  to pool/main/w/websvn/websvn_2.1.0-1_all.deb
websvn_2.1.0.orig.tar.gz
  to pool/main/w/websvn/websvn_2.1.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier <pol...@debian.org> (supplier of updated websvn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 25 Feb 2009 14:31:08 +0100
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.1.0-1
Distribution: unstable
Urgency: low
Maintainer: Pierre Chifflier <pol...@debian.org>
Changed-By: Pierre Chifflier <pol...@debian.org>
Description: 
 websvn     - interface for Subversion repositories written in PHP
Closes: 491980 508488 512191
Changes: 
 websvn (2.1.0-1) unstable; urgency=low
 .
   * New Upstream Version (Closes: #491980)
   * Drop following patches, merged upstream:
       10_security_dir_transversal.patch
       11_security_css.patch
       12_security_known_path_cve_2009_0240.patch
   * New patch:
       20_use_global_geshi.patch
       21_fix_conf_file.patch
   * Acknowledge NMU (Thanks Emilio) Closes: #512191, #508488
     - References: CVE-2009-0240
   * Add Homepage field
   * Fix lintian warnings:
     W: websvn: maintainer-script-ignores-errors config
     W: websvn: spelling-error-in-description subversion Subversion
     W: websvn source: patch-system-but-direct-changes-in-diff .pc/.version
     W: websvn source: debhelper-but-no-misc-depends websvn
Checksums-Sha1: 
 03fffd1d6f486dccd142faa1c0914ac3016b13d8 1013 websvn_2.1.0-1.dsc
 55eef34a33271109a9781b392d1684cdfc65a07c 572038 websvn_2.1.0.orig.tar.gz
 2d9144f7e29430d9a1a388c7b16f67e7b6112f36 21642 websvn_2.1.0-1.diff.gz
 6614dcd929221e989b6af8181564b80a504e740b 195470 websvn_2.1.0-1_all.deb
Checksums-Sha256: 
 398d4a68b1ce899ce8ada4845abd1293441c9e037cc7eefecfe3df84e95c256c 1013 
websvn_2.1.0-1.dsc
 d201eaf8dcf962c8402c2fdd1a798a5b5d4a9700b20c0dadfd83397ffe15afa6 572038 
websvn_2.1.0.orig.tar.gz
 b79f9e30630b7f134128b0f4291204f3cdca28ab73eacb81b4991d54f49c7e11 21642 
websvn_2.1.0-1.diff.gz
 e7c963e40cd675560a27e3f626c162fbe851dfce761920f75daf1c604bd1652a 195470 
websvn_2.1.0-1_all.deb
Files: 
 6ec940992036352a450a6637975e91d0 1013 devel optional websvn_2.1.0-1.dsc
 0973edc5ca348424104147846b7d7152 572038 devel optional websvn_2.1.0.orig.tar.gz
 2a78f4edb3620c4ab29b99c2c6f5f81d 21642 devel optional websvn_2.1.0-1.diff.gz
 99077bb8d1e2afb2aa5a4df357a2883d 195470 devel optional websvn_2.1.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJpVNetwVrWo1fQMsRAvfJAJ0c8dw9SdMGDZ4nKqtwTbAMDA5MgwCg5nMH
Kcf8DrKsZQrOBr+48ev8ZZE=
=401Y
-----END PGP SIGNATURE-----

--- End Message ---

Bug#512191: marked as done (websvn: WebSVN exposes protected files to users with insufficient permissions)

Reply via email to