[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Credentials held unencrypted in memory during runtime

From: Andrew <agaspar_at_odecee.com.au>
Date: Tue, 12 Apr 2011 22:41:50 -0700 (PDT)

Hi

The organisation that I am currently working for has also found this security issue, and being a financial organisation we are considering not allowing our developers to use tortoise SVN.

This should be fixed, as it is a security flaw.

> Hi,
>
>
>
> While we test a scenario we found the TortoiseSVN client application
> holds the username and password strings in clear text within the memory
> during runtime, The sensitive information (e.g. password) is loaded into
> a variable during the authentication phase. The variable is not cleared
> after the initial use. It is possible to extract the TortoiseSVN strings
> stored in memory and obtain a valid password.
>
>
>
>
>
>
>
> Testing Evidence : Using readily available tools, the variables are
> extracted from memory. The password used for authentication remains
> within the variable after use.
>
>
>
> FYI : We tested this in Tortoise SVN 1.6.15
>
>
>
> Please let us know is security issue fixed in the upcoming release.
>
>
>
> Thanks & Regards,
>
>
>
> Annamalai_at_Arunachalam.A <mailto:Annamalai_at_Arunachalam.A>
>
> Senior Support Engineer
>
>
>
> Collabnet Software Private Limited
>
> The Lords|5th Floor|Block-II |1&2 | North Extn. Area
> Ekkatuthangal | Guindy | Chennai - 600032 |India

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719306

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-13 07:58:09 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.