[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Transaction names in post Uris webdav

From: Bert Huijben <rhuijben_at_sharpsvn.net>
Date: Thu, 5 Feb 2009 16:04:08 +0100

[I sent this mail to the dev list; not the security list... as this part
of the HTTPv2 protocol is not even implemented right now!]

        Hi,

Our webdav implementation creates a public Uri to communicate over when
a transaction is started and closes it when the transaction is
committed. (Or aborted?).

Anyway, in HTTPv1 we generated a UUID and used that as the public
transaction ID. This made it impossible to guess the transaction ID for
outstanders that didn't start the transaction.
(As far as I know everyone can write to this public Uri when they get
through the initial security check).

For HTTPv2 the decision was made to no longer create a generated UUID ->
Filesystem transaction mapping, but to use the real transaction ID used
by the filesystem in the Uri.

This might introduce a security problem, as it is certainly possible to
guess a filesystem transaction id. (I think FSFS uses two integers as
the transaction id.. the first of which specifies at which revision the
transaction started).

I don't know our webdav protocol and its emplementation well enough to
be sure that this is actually a security problem. (Or that we just store
the author in the transaction and verify that on every transaction
update). But I want to make sure we don't introduce a backdoor where..

The attack vector I'm afraid of is:

Lets assume I know UserX is working on the WC library ...
* That would make trunk/subversion/libsvn_wc a likely transaction root.
* I continuously try to write a new deprecated.c to this transaction
root based on the guessed transaction numbers.. and voila in one of the
thousands of requests I guess the transaction correctly, so it actually
succeeds.

Eventually UserX commits his transaction, but he commits deprecated.c
with it.

So in this case I can changed his transaction, without any trace in the
history. (And probably break his working copy too)..

Is this a realistic attack?

I surely hope it isn't...
But I want to be sure... So please shoot on this guessing..

Thanks,

        Bert

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1107805
Received on 2009-02-05 16:05:50 CET

This is an archived mail posted to the Subversion Dev mailing list.