You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Bert Huijben <rh...@sharpsvn.net> on 2009/02/05 15:04:08 UTC
Transaction names in post Uris webdav
[I sent this mail to the dev list; not the security list... as this part
of the HTTPv2 protocol is not even implemented right now!]
Hi,
Our webdav implementation creates a public Uri to communicate over when
a transaction is started and closes it when the transaction is
committed. (Or aborted?).
Anyway, in HTTPv1 we generated a UUID and used that as the public
transaction ID. This made it impossible to guess the transaction ID for
outstanders that didn't start the transaction.
(As far as I know everyone can write to this public Uri when they get
through the initial security check).
For HTTPv2 the decision was made to no longer create a generated UUID ->
Filesystem transaction mapping, but to use the real transaction ID used
by the filesystem in the Uri.
This might introduce a security problem, as it is certainly possible to
guess a filesystem transaction id. (I think FSFS uses two integers as
the transaction id.. the first of which specifies at which revision the
transaction started).
I don't know our webdav protocol and its emplementation well enough to
be sure that this is actually a security problem. (Or that we just store
the author in the transaction and verify that on every transaction
update). But I want to make sure we don't introduce a backdoor where..
The attack vector I'm afraid of is:
Lets assume I know UserX is working on the WC library ...
* That would make trunk/subversion/libsvn_wc a likely transaction root.
* I continuously try to write a new deprecated.c to this transaction
root based on the guessed transaction numbers.. and voila in one of the
thousands of requests I guess the transaction correctly, so it actually
succeeds.
Eventually UserX commits his transaction, but he commits deprecated.c
with it.
So in this case I can changed his transaction, without any trace in the
history. (And probably break his working copy too)..
Is this a realistic attack?
I surely hope it isn't...
But I want to be sure... So please shoot on this guessing..
Thanks,
Bert
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1107805
RE: Transaction names in post Uris webdav
Posted by Bert Huijben <rh...@sharpsvn.net>.
> -----Original Message-----
> From: sussman@gmail.com [mailto:sussman@gmail.com] On Behalf Of Ben
> Collins-Sussman
> Sent: donderdag 5 februari 2009 17:03
> To: Bert Huijben
> Cc: dev@subversion.tigris.org
> Subject: Re: Transaction names in post Uris webdav
>
> I don't think there's a realistic attack vector here, for two reasons:
>
> 1. Most (sane) apache configurations only allow authenticated commits.
> So even if an attacker could guess the name of a
> transaction-in-progress, they would still have to be an authenticated
> commiter to do a PUT at all. Teams which allow anonymous commits...
> well, they deserve what they get. :-)
>
> 2. mod_dav_svn already prevents 'multi-author' commits. Whenever a
> PUT comes in on a transaction, it checks that the authenticated
> username on the PUT matches the transaction's existing svn:author
> property. (If there's no svn:author property yet, it creates it.)
> For details, see mod_dav_svn/repos.c:prep_working().
Hi,
The attack vector I was thinking of was closed by point 2. And thanks for
the source reference :)
Thanks for confirming we didn't forget something here!
Bert
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1108126
Re: Transaction names in post Uris webdav
Posted by Ben Collins-Sussman <su...@red-bean.com>.
I don't think there's a realistic attack vector here, for two reasons:
1. Most (sane) apache configurations only allow authenticated commits.
So even if an attacker could guess the name of a
transaction-in-progress, they would still have to be an authenticated
commiter to do a PUT at all. Teams which allow anonymous commits...
well, they deserve what they get. :-)
2. mod_dav_svn already prevents 'multi-author' commits. Whenever a
PUT comes in on a transaction, it checks that the authenticated
username on the PUT matches the transaction's existing svn:author
property. (If there's no svn:author property yet, it creates it.)
For details, see mod_dav_svn/repos.c:prep_working().
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1108001