DAV activity hijacking?

[Artem Egorkine <ar...@gmail.com>]

Hi,

Looking at mod_dav_svn, I had been thinking, if it is possible to
hijack a DAV activity:

Being a legitimate user, checking something in over DAV, there's an
MKACTIVITY request. Now say there's a second malicious user that has
access to the repository and knows the UUID of the activity, he in
theory is able to DELETE or MERGE or do something bad to the activity
of the legitimate user.

Why worry, one may ask if UUID are unique enough and collision of
activities it theoretically not possible, there is no need to worry
that one legitimate user's action may interfere with another user's
action. One may argue that if there is such malicious user that has
repository access like I just described, it is already bad -- if he is
interfering with a legitimate user's actions, nothing will stop him
from harming the repository anyway.

Now, if activity's UUID is enough for its security (i.e. legitimate
user won't collide, and malicious user with repository access can't be
protected against), is there really any need to check for global
repository write access when there's a DELETE request coming for an
activity.

-Artem

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: DAV activity hijacking?

[Malcolm Rowe <ma...@farside.org.uk>]

On Thu, Jun 22, 2006 at 12:17:04PM +0300, Artem Egorkine wrote:
> If a user was successfuly able to issue an MKACTIVITY request - he has
> been verified to have global write access to the repsitory. It is
> therefore not neccesary to check for global write access on subsequent
> MERGE or DELETE requests.
> 
> That is of course if we can be sure that no other user can guess or
> snoop the uuid of the activity and either on purpose or by accident
> isue MERGE or DELETE on it.
> 

UUIDs are generally predictable (and more specifically, the type that
APR generates by itself is definitely predictable), so it's probably not
that hard to determine the UUID generated for another user's activity
(possibly, generate enough MKACTIVITY requests to get >1 per timer
resolution, watch for a gap in the generated UUID).

But don't we validate that the user who generated the activity is the
same one who is issuing further requests on it?  If we do, then you
might be right, though I wonder how long an activity is valid for,
which may explain why we want to re-validate the user's access.

Disclaimer: DAV is not my strong point.

Regards,
Malcolm

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: DAV activity hijacking?

[Artem Egorkine <ar...@gmail.com>]

To clarify, here is my point once again:

If a user was successfuly able to issue an MKACTIVITY request - he has
been verified to have global write access to the repsitory. It is
therefore not neccesary to check for global write access on subsequent
MERGE or DELETE requests.

That is of course if we can be sure that no other user can guess or
snoop the uuid of the activity and either on purpose or by accident
isue MERGE or DELETE on it.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org