•  
      request #11478 Improper authentication of SVN operations
    Infos
    #11478
    Thomas Gerbet (tgerbet)
    2018-06-07 16:52
    2018-05-14 16:14
    11804
    Details
    Improper authentication of SVN operations

    Authentication of SVN operations can be bypassed when the database field unix_pw is empty for a user. This can happen if:

    • the setting homedir_prefix is empty
    • the account of the user has been automatically created during its first login through a OpenIDConnect provider
    • the account is created through the LDAP plugin and the user has never logged in the web UI and for some reasons the SVN repo does not rely on LDAP to deal with the authentication

    Impact

    An attacker could use this vulnerability to access and update SVN repositories he does not have access to.
    CVSSv3 score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

    Exploitation

    Set an ampty string in the field unix_pw of the DB for one of your user. Any password will be accepted when doing SVN operations. Authorizations are still enforced so you need to use a user with enough access to at least read the repo.

    References

    CWE 287

    SCM/Subversion
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-05-15
    Attachments
    Empty
    References
    Referenced by request #11478

    Artifact Tracker v5

    rel #11242 10.1

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-05-15 17:02
    Fix has been integrated in Tuleap 10.0.99.59.

    A patch with less side effect can be found at gerrit #11371 to ease the backport of a the fix to older versions.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2018-05-15