[Secure-testing-team] Bug#775682: arbitrary file access when downloads enabled for users with commit access
Thijs Kinkhorst
thijs at debian.org
Sun Jan 18 16:39:26 UTC 2015
Package: websvn
Severity: serious
Tags: security patch
Hi,
James Clawson reported:
"Arbitrary files with a known path can be accessed in websvn by committing a
symlink to a repository and then downloading the file (using the download
link).
An attacker must have write access to the repo, and the download option must
have been enabled in the websvn config file.
Example:
- Create a symlink to /etc/passwd and commit it to the repo.
- Access websvn and download the file.
- The downloaded file will be the web server's /etc/passwd (i.e. the symlink is
resolved on the web server).
This will also work with symlinks to directories, but dlmode=zip must be added
to the download link manually. Zip must be installed manually to be able to
download directories."
I've assigned CVE-2013-6892 to this issue. Please mention it in the changelog
when fixing the issue.
I've created attached patch which solves the bug.
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: websvn_symlinks.patch
Type: text/x-diff
Size: 1364 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150118/a180cf47/attachment.patch>
More information about the Secure-testing-team
mailing list