[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Very urgent security bug found

From: Dave Oxley <david.oxley_at_workplace-systems.plc.uk>
Date: 2003-07-24 22:21:07 CEST

Ok. Sorry about the panic. Feeling pretty stupid now!!! Just found this
further down my httpd.conf:
    <Location /repos-xml/Project/tags>
        <LimitExcept GET PROPFIND OPTIONS REPORT>
            AuthType Basic
            AuthName "Read-only tags."
            AuthUserFile /usr/local/apache/conf/passwords
            AuthGroupFile /usr/local/apache/conf/groups
            Require user Dave
        </LimitExcept>
    </Location>

and it should obviously have been:
    <Location /repos-xml/Project/tags>
        AuthType Basic
        AuthName "Developer access required"
        AuthUserFile /usr/local/apache/conf/passwords
        AuthGroupFile /usr/local/apache/conf/groups
        require group Development
        <LimitExcept GET PROPFIND OPTIONS REPORT>
            AuthType Basic
            AuthName "Read-only tags."
            AuthUserFile /usr/local/apache/conf/passwords
            AuthGroupFile /usr/local/apache/conf/groups
            Require user Dave
        </LimitExcept>
    </Location>

Sorry.
Dave.

> Did you restart your browser between both accesses ? Most browsers will
> cache the authentication and return it to the server when accessing a URL
> that is below where the browser was asked for credentials.
>
> Another thing, if you trace the connection (using Ethereal or some such
> tool), you should see the server sending credential requirements to the
> browser and the browser returning the username and password.
>
> Hope that helps,
> François
>
> On Thu, 24 Jul 2003 20:32:33 +0100 (BST), "Dave Oxley"
> <david.oxley@workplace-systems.plc.uk> said:
>> Urgent bug found in 0.25:
>> I'm running SVN 0.25 with Apache 2.0.47 on RedHat Linux 8.0.
>>
>> My httpd.conf file contains:
>>
>> <Location /repos>
>> DAV svn
>> SVNPath /var/repos
>> AuthType Basic
>> AuthName "Developer access required"
>> AuthUserFile /usr/local/apache/conf/passwords
>> AuthGroupFile /usr/local/apache/conf/groups
>> require group Development
>> </Location>
>>
>> Using a web browser I am prompted for user name and password when
>> accessing the url:
>> https://server.com/repos
>> but I am not prompted for a user name and password when accessing the
>> url:
>> https://server.com/repos/Project/trunk/SomeFile.xml
>>
>> Basically, the security is bypassed when trying to view files in the
>> repository.
>>
>> Dave.
>>
>> ________________________________________________________________________
>> This e-mail has been scanned for all viruses by Star Internet. The
>> service is powered by MessageLabs. For more information on a proactive
>> anti-virus service working around the clock, around the globe, visit:
>> http://www.star.net.uk
>> ________________________________________________________________________
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: dev-help@subversion.tigris.org
>>
>>
> Developer of Java Gui Builder
> http://jgb.sourceforge.net/
>
> ________________________________________________________________________
> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
> ________________________________________________________________________
>

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jul 24 22:15:47 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.