On Mon, Jan 26, 2004 at 02:31:08AM +0000, Colin Watson wrote:
> On Sun, Jan 25, 2004 at 10:26:30AM -0500, Mark Benedetto King wrote:
> > On Sun, Jan 25, 2004 at 04:11:10AM +0000, Colin Watson wrote:
> > > Surely, if it matters that an attacker knows the path, you've already
> > > lost anyway? I've found the information useful for diagnosing problems
> > > in the past and don't see how it's a vulnerability.
> >
> > Path disclosure is information leakage. There have been vulnerabilities
> > in other software components (Tomcat, for example) that allow you to obtain
> > the full contents of a file if you know its absolute path.
>
> I don't buy that, because I think most attackers would go for more
> interesting system files before they started trying to look for a
> Subversion repository, and the contents of those files may well make it
> irrelevant that you've suppressed useful information in Subversion's
> error messages. For example, on a system with GNU findutils installed I
> can grab /var/cache/locate/locatedb and voil?, I have my list of
> filenames. Like I said above, if it makes a difference that the attacker
> knows the path to your repository then you've already lost the battle by
> allowing them to access arbitrary files, and erecting gauzy barriers of
> obscurity at that point does little practical good.
I agree that Path Disclosure Vulnerabilities are not in-and-of-themselves
as severe as many other types. However, such vulnerabilities are
frequently reported, and are usually followed with a patch that
fixes the problem. Apache 2.0.39 had one, and they had to release
2.0.40 to fix it.
If this is not fixed, then it is only a matter of time before a similar
vulnerability announcement for Subversion hits BugTraq. That inevitable
announcement will color the public's perception of Subversion's quality.
And then we'll probably want to fix the problem. Why wait?
>
> In other words, I don't believe that this is important information
> leakage. To me the debugging usefulness far exceeds the theoretical -
> and, I feel, distinctly dubious - decrease in security.
>
When we plugged the other hole, we sent the full text of the error message
to Apache's logs; that minimized the loss of debugging usefulness.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 26 04:43:13 2004