You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Dave Oxley <da...@workplace-systems.plc.uk> on 2003/07/24 19:32:33 UTC
Very urgent security bug found
Urgent bug found in 0.25:
I'm running SVN 0.25 with Apache 2.0.47 on RedHat Linux 8.0.
My httpd.conf file contains:
<Location /repos>
DAV svn
SVNPath /var/repos
AuthType Basic
AuthName "Developer access required"
AuthUserFile /usr/local/apache/conf/passwords
AuthGroupFile /usr/local/apache/conf/groups
require group Development
</Location>
Using a web browser I am prompted for user name and password when
accessing the url:
https://server.com/repos
but I am not prompted for a user name and password when accessing the url:
https://server.com/repos/Project/trunk/SomeFile.xml
Basically, the security is bypassed when trying to view files in the
repository.
Dave.
________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Very urgent security bug found
Posted by Dave Oxley <da...@workplace-systems.plc.uk>.
Ok. Sorry about the panic. Feeling pretty stupid now!!! Just found this
further down my httpd.conf:
<Location /repos-xml/Project/tags>
<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "Read-only tags."
AuthUserFile /usr/local/apache/conf/passwords
AuthGroupFile /usr/local/apache/conf/groups
Require user Dave
</LimitExcept>
</Location>
and it should obviously have been:
<Location /repos-xml/Project/tags>
AuthType Basic
AuthName "Developer access required"
AuthUserFile /usr/local/apache/conf/passwords
AuthGroupFile /usr/local/apache/conf/groups
require group Development
<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "Read-only tags."
AuthUserFile /usr/local/apache/conf/passwords
AuthGroupFile /usr/local/apache/conf/groups
Require user Dave
</LimitExcept>
</Location>
Sorry.
Dave.
> Did you restart your browser between both accesses ? Most browsers will
> cache the authentication and return it to the server when accessing a URL
> that is below where the browser was asked for credentials.
>
> Another thing, if you trace the connection (using Ethereal or some such
> tool), you should see the server sending credential requirements to the
> browser and the browser returning the username and password.
>
> Hope that helps,
> François
>
> On Thu, 24 Jul 2003 20:32:33 +0100 (BST), "Dave Oxley"
> <da...@workplace-systems.plc.uk> said:
>> Urgent bug found in 0.25:
>> I'm running SVN 0.25 with Apache 2.0.47 on RedHat Linux 8.0.
>>
>> My httpd.conf file contains:
>>
>> <Location /repos>
>> DAV svn
>> SVNPath /var/repos
>> AuthType Basic
>> AuthName "Developer access required"
>> AuthUserFile /usr/local/apache/conf/passwords
>> AuthGroupFile /usr/local/apache/conf/groups
>> require group Development
>> </Location>
>>
>> Using a web browser I am prompted for user name and password when
>> accessing the url:
>> https://server.com/repos
>> but I am not prompted for a user name and password when accessing the
>> url:
>> https://server.com/repos/Project/trunk/SomeFile.xml
>>
>> Basically, the security is bypassed when trying to view files in the
>> repository.
>>
>> Dave.
>>
>> ________________________________________________________________________
>> This e-mail has been scanned for all viruses by Star Internet. The
>> service is powered by MessageLabs. For more information on a proactive
>> anti-virus service working around the clock, around the globe, visit:
>> http://www.star.net.uk
>> ________________________________________________________________________
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: dev-help@subversion.tigris.org
>>
>>
> Developer of Java Gui Builder
> http://jgb.sourceforge.net/
>
> ________________________________________________________________________
> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
> ________________________________________________________________________
>
________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Very urgent security bug found
Posted by Francois Beausoleil <fb...@users.sourceforge.net>.
Did you restart your browser between both accesses ? Most browsers will
cache the authentication and return it to the server when accessing a URL
that is below where the browser was asked for credentials.
Another thing, if you trace the connection (using Ethereal or some such
tool), you should see the server sending credential requirements to the
browser and the browser returning the username and password.
Hope that helps,
François
On Thu, 24 Jul 2003 20:32:33 +0100 (BST), "Dave Oxley"
<da...@workplace-systems.plc.uk> said:
> Urgent bug found in 0.25:
> I'm running SVN 0.25 with Apache 2.0.47 on RedHat Linux 8.0.
>
> My httpd.conf file contains:
>
> <Location /repos>
> DAV svn
> SVNPath /var/repos
> AuthType Basic
> AuthName "Developer access required"
> AuthUserFile /usr/local/apache/conf/passwords
> AuthGroupFile /usr/local/apache/conf/groups
> require group Development
> </Location>
>
> Using a web browser I am prompted for user name and password when
> accessing the url:
> https://server.com/repos
> but I am not prompted for a user name and password when accessing the
> url:
> https://server.com/repos/Project/trunk/SomeFile.xml
>
> Basically, the security is bypassed when trying to view files in the
> repository.
>
> Dave.
>
> ________________________________________________________________________
> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
> ________________________________________________________________________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
Developer of Java Gui Builder
http://jgb.sourceforge.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org