You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Maria Odea Ching (JIRA)" <ji...@codehaus.org> on 2008/10/07 07:36:08 UTC
[jira] Created: (MRM-967) Security Issue: If repository observer
role is enabled for the 'guest' user, an invalid user is able to deploy to
that repository
Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository
---------------------------------------------------------------------------------------------------------------------------------
Key: MRM-967
URL: http://jira.codehaus.org/browse/MRM-967
Project: Archiva
Issue Type: Bug
Components: Users/Security, WebDAV interface
Affects Versions: 1.1.2
Reporter: Maria Odea Ching
Priority: Critical
Steps to reproduce (using repository 'snapshots'):
1. Configure the <distributionManagement> of your project's pom to deploy your project to 'snapshots' repository, as follows:
<distributionManagement>
<repository>
<id>releases</id>
<name>Releases Repository</name>
<layout>default</layout>
<url>dav:http://localhost:8080/archiva/repository/releases/</url>
</repository>
<snapshotRepository>
<id>snapshots</id>
<uniqueVersion>true</uniqueVersion>
<name>Snapshots Repository</name>
<layout>default</layout>
<url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
</snapshotRepository>
</distributionManagement>
2. Enable the 'snapshots' repository observer role for 'guest' user
3. Add an invalid user credentials in your settings.xml for 'snapshots' repository, as shown below:
<server>
<id>snapshots</id>
<username>invalidusername</username>
<password>password</password>
</server>
4. Execute 'mvn clean deploy' in your project.
Alternatively, you can also use the deploy-file goal to replicate the issue so you won't need to configure your pom (ex. 'mvn deploy:deploy-file -Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots -Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-967) Security Issue: If repository observer
role is enabled for the 'guest' user, an invalid user is able to deploy to
that repository
Posted by "Gwen Harold Autencio (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=150155#action_150155 ]
Gwen Harold Autencio commented on MRM-967:
------------------------------------------
Using the 'mvn deploy:deploy-file'
gwen@gautencio:~$ mvn deploy:deploy-file -Dfile=NUnit.Framework.dll-2.4.8.0.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=archiva-snapshots -Durl=http://localhost:9091/repository/snapshots/ -DgeneratePom=true
[INFO] Scanning for projects...
[INFO] Searching repository for plugin with prefix: 'deploy'.
[INFO] ------------------------------------------------------------------------
[INFO] Building Maven Default Project
[INFO] task-segment: [deploy:deploy-file] (aggregator-style)
[INFO] ------------------------------------------------------------------------
[INFO] [deploy:deploy-file]
Uploading: http://localhost:9091/repository/snapshots//NUnit/NUnit.Framework.dll/2.4.8.0/NUnit.Framework.dll-2.4.8.0.dll
31K uploaded
[INFO] ------------------------------------------------------------------------
[ERROR] BUILD ERROR
[INFO] ------------------------------------------------------------------------
[INFO] Error deploying artifact: Failed to transfer file: http://localhost:9091/repository/snapshots//NUnit/NUnit.Framework.dll/2.4.8.0/NUnit.Framework.dll-2.4.8.0.dll. Return code is: 401
[INFO] ------------------------------------------------------------------------
[INFO] For more information, run Maven with the -e switch
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1 second
[INFO] Finished at: Mon Oct 06 18:29:15 GMT+08:00 2008
[INFO] Final Memory: 3M/5M
[INFO] ------------------------------------------------------------------------
> Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-967
> URL: http://jira.codehaus.org/browse/MRM-967
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security, WebDAV interface
> Affects Versions: 1.1.2
> Reporter: Maria Odea Ching
> Assignee: Maria Odea Ching
> Priority: Critical
> Fix For: 1.1.3
>
>
> Steps to reproduce (using repository 'snapshots'):
> 1. Configure the <distributionManagement> of your project's pom to deploy your project to 'snapshots' repository, as follows:
> <distributionManagement>
> <repository>
> <id>releases</id>
> <name>Releases Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/releases/</url>
> </repository>
> <snapshotRepository>
> <id>snapshots</id>
> <uniqueVersion>true</uniqueVersion>
> <name>Snapshots Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
> </snapshotRepository>
> </distributionManagement>
> 2. Enable the 'snapshots' repository observer role for 'guest' user
> 3. Add an invalid user credentials in your settings.xml for 'snapshots' repository, as shown below:
> <server>
> <id>snapshots</id>
> <username>invalidusername</username>
> <password>password</password>
> </server>
> 4. Execute 'mvn clean deploy' in your project.
> Alternatively, you can also use the deploy-file goal to replicate the issue so you won't need to configure your pom (ex. 'mvn deploy:deploy-file -Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots -Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (MRM-967) Security Issue: If repository observer
role is enabled for the 'guest' user, an invalid user is able to deploy to
that repository
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching closed MRM-967.
--------------------------------
Assignee: Maria Odea Ching
Resolution: Fixed
Fix Version/s: 1.1.3
Fixed in trunk -r702027 and merged in 1.1.x branch -r702032.
> Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-967
> URL: http://jira.codehaus.org/browse/MRM-967
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security, WebDAV interface
> Affects Versions: 1.1.2
> Reporter: Maria Odea Ching
> Assignee: Maria Odea Ching
> Priority: Critical
> Fix For: 1.1.3
>
>
> Steps to reproduce (using repository 'snapshots'):
> 1. Configure the <distributionManagement> of your project's pom to deploy your project to 'snapshots' repository, as follows:
> <distributionManagement>
> <repository>
> <id>releases</id>
> <name>Releases Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/releases/</url>
> </repository>
> <snapshotRepository>
> <id>snapshots</id>
> <uniqueVersion>true</uniqueVersion>
> <name>Snapshots Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
> </snapshotRepository>
> </distributionManagement>
> 2. Enable the 'snapshots' repository observer role for 'guest' user
> 3. Add an invalid user credentials in your settings.xml for 'snapshots' repository, as shown below:
> <server>
> <id>snapshots</id>
> <username>invalidusername</username>
> <password>password</password>
> </server>
> 4. Execute 'mvn clean deploy' in your project.
> Alternatively, you can also use the deploy-file goal to replicate the issue so you won't need to configure your pom (ex. 'mvn deploy:deploy-file -Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots -Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-967) Security Issue: If repository observer
role is enabled for the 'guest' user, an invalid user is able to deploy to
that repository
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=150153#action_150153 ]
Maria Odea Ching commented on MRM-967:
--------------------------------------
Btw, thanks Brett for finding/discovering the security issue :)
> Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-967
> URL: http://jira.codehaus.org/browse/MRM-967
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security, WebDAV interface
> Affects Versions: 1.1.2
> Reporter: Maria Odea Ching
> Assignee: Maria Odea Ching
> Priority: Critical
> Fix For: 1.1.3
>
>
> Steps to reproduce (using repository 'snapshots'):
> 1. Configure the <distributionManagement> of your project's pom to deploy your project to 'snapshots' repository, as follows:
> <distributionManagement>
> <repository>
> <id>releases</id>
> <name>Releases Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/releases/</url>
> </repository>
> <snapshotRepository>
> <id>snapshots</id>
> <uniqueVersion>true</uniqueVersion>
> <name>Snapshots Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
> </snapshotRepository>
> </distributionManagement>
> 2. Enable the 'snapshots' repository observer role for 'guest' user
> 3. Add an invalid user credentials in your settings.xml for 'snapshots' repository, as shown below:
> <server>
> <id>snapshots</id>
> <username>invalidusername</username>
> <password>password</password>
> </server>
> 4. Execute 'mvn clean deploy' in your project.
> Alternatively, you can also use the deploy-file goal to replicate the issue so you won't need to configure your pom (ex. 'mvn deploy:deploy-file -Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots -Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-967) Security Issue: If repository observer
role is enabled for the 'guest' user, an invalid user is able to deploy to
that repository
Posted by "Gwen Harold Autencio (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=150154#action_150154 ]
Gwen Harold Autencio commented on MRM-967:
------------------------------------------
Using the 'mvn deploy' command, tested the archiva-1.1.x
Result : Tested archiva-1.1.x using the mvn deploy command.
gwen@gautencio:~/Desktop/my-app$ mvn deploy
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Building my-app
[INFO] task-segment: [deploy]
[INFO] ------------------------------------------------------------------------
[INFO] [resources:resources]
[INFO] Using default encoding to copy filtered resources.
[INFO] [compiler:compile]
[INFO] Nothing to compile - all classes are up to date
[INFO] [resources:testResources]
[INFO] Using default encoding to copy filtered resources.
[INFO] [compiler:testCompile]
[INFO] Nothing to compile - all classes are up to date
[INFO] [surefire:test]
[INFO] Surefire report directory: /home/gwen/Desktop/my-app/target/surefire-reports
-------------------------------------------------------
T E S T S
-------------------------------------------------------
Running com.mycompany.app.AppTest
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.038 sec
Results :
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO] [jar:jar]
[INFO] [install:install]
[INFO] Installing /home/gwen/Desktop/my-app/target/my-app-1.0-SNAPSHOT.jar to /home/gwen/.m2/repository/com/mycompany/app/my-app/1.0-SNAPSHOT/my-app-1.0-SNAPSHOT.jar
[INFO] [deploy:deploy]
altDeploymentRepository = null
[INFO] Retrieving previous build number from archiva-internal
Uploading: http://localhost:9091/repository/internal//com/mycompany/app/my-app/1.0-SNAPSHOT/my-app-1.0-20081007.034214-2.jar
2K uploaded
[INFO] ------------------------------------------------------------------------
[ERROR] BUILD ERROR
[INFO] ------------------------------------------------------------------------
[INFO] Error deploying artifact: Failed to transfer file: http://localhost:9091/repository/internal//com/mycompany/app/my-app/1.0-SNAPSHOT/my-app-1.0-20081007.034214-2.jar. Return code is: 401
[INFO] ------------------------------------------------------------------------
[INFO] For more information, run Maven with the -e switch
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5 seconds
[INFO] Finished at: Tue Oct 07 11:42:14 GMT+08:00 2008
[INFO] Final Memory: 9M/16M
[INFO] ------------------------------------------------------------------------
> Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-967
> URL: http://jira.codehaus.org/browse/MRM-967
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security, WebDAV interface
> Affects Versions: 1.1.2
> Reporter: Maria Odea Ching
> Assignee: Maria Odea Ching
> Priority: Critical
> Fix For: 1.1.3
>
>
> Steps to reproduce (using repository 'snapshots'):
> 1. Configure the <distributionManagement> of your project's pom to deploy your project to 'snapshots' repository, as follows:
> <distributionManagement>
> <repository>
> <id>releases</id>
> <name>Releases Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/releases/</url>
> </repository>
> <snapshotRepository>
> <id>snapshots</id>
> <uniqueVersion>true</uniqueVersion>
> <name>Snapshots Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
> </snapshotRepository>
> </distributionManagement>
> 2. Enable the 'snapshots' repository observer role for 'guest' user
> 3. Add an invalid user credentials in your settings.xml for 'snapshots' repository, as shown below:
> <server>
> <id>snapshots</id>
> <username>invalidusername</username>
> <password>password</password>
> </server>
> 4. Execute 'mvn clean deploy' in your project.
> Alternatively, you can also use the deploy-file goal to replicate the issue so you won't need to configure your pom (ex. 'mvn deploy:deploy-file -Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots -Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira