CAN-2004-0749-advisory.txt [plain text]
mod_authz_svn fails to protect metadata
Summary:
=======
mod_authz_svn, the Apache httpd module which does path-based
authorization on Subversion repositories, is not correctly protecting
all metadata on unreadable paths.
This metadata leakage affects the mod_authz_svn module in all released
versions of Subversion (through 1.0.7), as well as the 1.1-rc1, -rc2
and -rc3 release candidates. The leakage is fixed in the 1.0.8 and
1.1-rc4 release, as well as the upcoming 1.1 final release.
Details:
=======
If a Subversion commit affects paths that an administrator has marked
"unreadable" using mod_authz_svn, then
- "svn log -v" will list the existence of the unreadable paths;
- "svn log -v" will show the commit's log message, which might be
considered sensitive metadata in some situations;
- "svn propget" is also able to fetch the log message of any commit;
- "svn blame" and other commands that follow renames are able to
acknowledge the existence of earlier versions of
files that exist at unreadable locations.
Severity:
========
Mild-to-medium severity, depending on your situation.
This security issue is not about revealing the contents of protected
files: it only reveals metadata about protected areas such as paths
and log messages. This may or may not be important to your
organization, depending on how you're using path-based authorization,
and the sensitivity of the metadata.
(Exception: in the case of "svn blame", and only in svn 1.1-rc2 and
-rc3, it's possible that older unreadable versions of a file are being
transported from server to client; the contents aren't displayed, but
the data is still traveling over the network.)
These issues only affects users of mod_authz_svn, not people using
native httpd.conf directives (such as <Limit> or <LimitExcept>)
directives to limit general readability on whole repositories.
Workarounds:
===========
* Use mod_authz_svn to restrict writes only, not reads.
* Break unreadable areas into separate repositories, and use native
apache httpd.conf directives to make them unreadable.
References:
==========
CAN-2004-0749: mod_authz_svn fails to protect metadata
Recommendation:
==============
We recommend an upgrade to 1.0.8 or 1.1.0-rc4.