You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@archiva.apache.org by "Maria Odea Ching (JIRA)" <ji...@codehaus.org> on 2008/10/07 07:39:08 UTC

[jira] Closed: (MRM-967) Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository

     [ http://jira.codehaus.org/browse/MRM-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Maria Odea Ching closed MRM-967.
--------------------------------

         Assignee: Maria Odea Ching
       Resolution: Fixed
    Fix Version/s: 1.1.3

Fixed in trunk -r702027 and merged in 1.1.x branch -r702032. 

> Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MRM-967
>                 URL: http://jira.codehaus.org/browse/MRM-967
>             Project: Archiva
>          Issue Type: Bug
>          Components: Users/Security, WebDAV interface
>    Affects Versions: 1.1.2
>            Reporter: Maria Odea Ching
>            Assignee: Maria Odea Ching
>            Priority: Critical
>             Fix For: 1.1.3
>
>
> Steps to reproduce (using repository 'snapshots'):
> 1. Configure the <distributionManagement> of your project's pom to deploy your project to 'snapshots' repository, as follows:
> <distributionManagement>
>   <repository>
>     <id>releases</id>
>     <name>Releases Repository</name>
>     <layout>default</layout>
>     <url>dav:http://localhost:8080/archiva/repository/releases/</url>
>   </repository>
>   <snapshotRepository>
>     <id>snapshots</id>
>     <uniqueVersion>true</uniqueVersion>
>     <name>Snapshots Repository</name>
>     <layout>default</layout>
>     <url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
>   </snapshotRepository>
> </distributionManagement>
> 2. Enable the 'snapshots' repository observer role for 'guest' user
> 3. Add an invalid user credentials in your settings.xml for 'snapshots' repository, as shown below:
> <server>
>   <id>snapshots</id>
>   <username>invalidusername</username>
>   <password>password</password>
> </server> 
> 4. Execute 'mvn clean deploy' in your project. 
> Alternatively, you can also use the deploy-file goal to replicate the issue so you won't need to configure your pom (ex. 'mvn deploy:deploy-file -Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots -Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira