Project

General

Profile

Actions

Defect #5383

closed

Redmine.pm auth vulnerability

Added by Yar Isakov almost 14 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
SCM
Target version:
-
Start date:
2010-04-26
Due date:
% Done:

100%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hello, I found that even if project is non-public, any user can see subversion storage of it through Redmine.pm. Also, if user was authenticated through LDAP, his permission was not checked (so he can checkout and/or commit to it). Here is my patch for these issues


Files

redmine.pm.patch (1.05 KB) redmine.pm.patch Yar Isakov, 2010-04-26 15:53
redmine.pm.patch (1.48 KB) redmine.pm.patch fixed fix Yar Isakov, 2010-04-26 21:08
Actions #1

Updated by Yar Isakov almost 14 years ago

I forgot to move declaration of $method out of unless block, here is fixed patch

Actions #2

Updated by Holger Just over 13 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • Resolution set to Fixed

This was fixed in r3832.

Please send possible future security incidents directly to security (at) redmine (dot) org. Those will then be handled in a more private way to allow responsible disclosure of security incidents.

Actions #3

Updated by Bennet Pritchard over 12 years ago

SPAM

Actions

Also available in: Atom PDF