[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Very urgent security bug found

From: Francois Beausoleil <fbos_at_users.sourceforge.net>
Date: 2003-07-24 21:41:36 CEST

Did you restart your browser between both accesses ? Most browsers will
cache the authentication and return it to the server when accessing a URL
that is below where the browser was asked for credentials.

Another thing, if you trace the connection (using Ethereal or some such
tool), you should see the server sending credential requirements to the
browser and the browser returning the username and password.

Hope that helps,
François

On Thu, 24 Jul 2003 20:32:33 +0100 (BST), "Dave Oxley"
<david.oxley@workplace-systems.plc.uk> said:
> Urgent bug found in 0.25:
> I'm running SVN 0.25 with Apache 2.0.47 on RedHat Linux 8.0.
>
> My httpd.conf file contains:
>
> <Location /repos>
> DAV svn
> SVNPath /var/repos
> AuthType Basic
> AuthName "Developer access required"
> AuthUserFile /usr/local/apache/conf/passwords
> AuthGroupFile /usr/local/apache/conf/groups
> require group Development
> </Location>
>
> Using a web browser I am prompted for user name and password when
> accessing the url:
> https://server.com/repos
> but I am not prompted for a user name and password when accessing the
> url:
> https://server.com/repos/Project/trunk/SomeFile.xml
>
> Basically, the security is bypassed when trying to view files in the
> repository.
>
> Dave.
>
> ________________________________________________________________________
> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
> ________________________________________________________________________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
Developer of Java Gui Builder
http://jgb.sourceforge.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jul 24 21:42:45 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.