Project

General

Profile

Actions

Defect #9567

closed

Redmine.pm potential security issue with cache credential enabled and subversion

Added by Guillaume Perréal almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
High
Category:
SCM extra
Target version:
Start date:
2011-11-14
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Redmine.pm credential cache is based only on project, user and password, ignoring permissions (or at least read/write type). Credentials cached for reading can thus be reused for committing.

Simple test case:
  1. ensure credential cache is enabled using "RedmineCacheCredsMax 50",
  2. create a private project with Subversion SCM,
  3. assign an user with role "reviewer" (he should have only :browse_repository permission),
  4. check out the project,
  5. modify a file,
  6. commit.

Here is log excerpt (user bob is reviewer of project monprojet):

First attempt, we get an error 401, asking the user to authenticate for read method "OPTIONS":

192.168.56.1 - - [14/Nov/2011:20:32:27 +0100] "OPTIONS /svn/monprojet/trunk HTTP/1.1" 401 762 "-" "SVN/1.6.12 (r955767) neon/0.29.6"

Then the user successfully authenticates as bob, which is allowed read methods (OPTIONS and PROPFIND):

192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "OPTIONS /svn/monprojet/trunk HTTP/1.1" 200 870 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk HTTP/1.1" 207 856 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 

There comes the committing part, starting with MKACTIVITY, a write method:

192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "MKACTIVITY /svn/monprojet/!svn/act/7d5d2d10-22bb-429d-99d3-958c04a83f6c HTTP/1.1" 201 579 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "CHECKOUT /svn/monprojet/!svn/vcc/default HTTP/1.1" 201 595 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPPATCH /svn/monprojet/!svn/wbl/7d5d2d10-22bb-429d-99d3-958c04a83f6c/3 HTTP/1.1" 207 625 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk HTTP/1.1" 207 564 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "CHECKOUT /svn/monprojet/!svn/ver/3/trunk HTTP/1.1" 201 603 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/!svn/wrk/7d5d2d10-22bb-429d-99d3-958c04a83f6c/trunk/bla3 HTTP/1.1" 404 503 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk/bla3 HTTP/1.1" 404 457 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PUT /svn/monprojet/!svn/wrk/7d5d2d10-22bb-429d-99d3-958c04a83f6c/trunk/bla3 HTTP/1.1" 201 602 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "MERGE /svn/monprojet/trunk HTTP/1.1" 200 1183 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "DELETE /svn/monprojet/!svn/act/7d5d2d10-22bb-429d-99d3-958c04a83f6c HTTP/1.1" 204 141 "-" "SVN/1.6.12 (r955767) neon/0.29.6"
Actions #1

Updated by Jean-Philippe Lang almost 13 years ago

  • Status changed from New to Confirmed

Yes, RedmineCacheCredsMax should be disabled for now.

Actions #2

Updated by Jean-Philippe Lang almost 13 years ago

  • Status changed from Confirmed to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

This should be fixed in r7809. Can you confirm?

Actions #3

Updated by Guillaume Perréal almost 13 years ago

Confirmed. It indeed denies MKACTIVITY in this test case.

Actions #4

Updated by Jean-Philippe Lang almost 13 years ago

  • Target version set to 1.2.3
Actions #5

Updated by Jean-Philippe Lang almost 13 years ago

  • Status changed from Resolved to Closed

Merged.

Actions

Also available in: Atom PDF