Subversion mod_authz_svn information disclosure
| subversion-information-disclosure (17472) |  Medium Risk |
Description:
Subcould allow a remote attacker to obtain sensitive information, caused by a vulnerability in the mod_authz_svn module. The mod_authz_svn module fails to properly restrict access to metadata within unreadable paths. A remote attacker could exploit this vulnerability by invoking specific commands (svn log -v, svn propget, and svn blame) to verify the existence of unreadable paths and view commit log messages, even if the administrator has determined that a path is unreadable.
Note: For versions 1.1-rc2 and 1.1-rc3, the attacker could use the svn blame command to cause an unreadable arbitrary file to be sent over the network, though the information will not be displayed on the client.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of Subversion (1.0.8 or 1.1.0-rc4 or later), available from the Subversion Web site. See References.
For Gentoo Linux:
Upgrade to the latest version of Subversion (1.0.8 or later), as listed in GLSA 200409-35. See References.
For Conectiva Linux:
Upgrade to the latest subversion package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:883 for more information. See References.
Conectiva Linux 10: 1.0.1-63329U10_1cl or later
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- Conectiva Linux Security Announcement CLSA-2004:883: Fixes for subverion's vulnerabilities.
- Subversion Web site: mod_authz_svn fails to protect metadata.
- Subversion Web site: subversion: Documents & files: Source tarballs.
- BID-11243: Subversion Mod_Authz_Svn Metadata Information Disclosure Vulnerability
- CVE-2004-0749: The mod_authz_svn module in Subversion 1.0.7 and earlier does not properly restrict access to all metadata on unreadable paths, which could allow remote attackers to gain sensitive information via (1) svn log -v, (2) svn propget, or (3) svn blame, and other commands that follow renames.
- GLSA-200409-35: Subversion: Metadata information leak
Platforms Affected:
- Conectiva Linux 10
- Gentoo Linux
- Subversion Subversion 1.1-rc1
- Subversion Subversion 1.1-rc2
- Subversion Subversion 1.1-rc3
- Subversion Subversion prior to 1.0.8
Reported:
Sep 23, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net