On Sun, Jan 25, 2004 at 10:26:30AM -0500, Mark Benedetto King wrote:
> On Sun, Jan 25, 2004 at 04:11:10AM +0000, Colin Watson wrote:
> > Surely, if it matters that an attacker knows the path, you've already
> > lost anyway? I've found the information useful for diagnosing problems
> > in the past and don't see how it's a vulnerability.
>
> Path disclosure is information leakage. There have been vulnerabilities
> in other software components (Tomcat, for example) that allow you to obtain
> the full contents of a file if you know its absolute path.
I don't buy that, because I think most attackers would go for more
interesting system files before they started trying to look for a
Subversion repository, and the contents of those files may well make it
irrelevant that you've suppressed useful information in Subversion's
error messages. For example, on a system with GNU findutils installed I
can grab /var/cache/locate/locatedb and voilà, I have my list of
filenames. Like I said above, if it makes a difference that the attacker
knows the path to your repository then you've already lost the battle by
allowing them to access arbitrary files, and erecting gauzy barriers of
obscurity at that point does little practical good.
In other words, I don't believe that this is important information
leakage. To me the debugging usefulness far exceeds the theoretical -
and, I feel, distinctly dubious - decrease in security.
--
Colin Watson [cjwatson@flatline.org.uk]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 26 03:31:49 2004