[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Credentials held unencrypted in memory during runtime

From: Annamalai <annamalai_at_collab.net>
Date: Mon, 11 Apr 2011 17:38:56 +0530



While we test a scenario we found the TortoiseSVN client application
holds the username and password strings in clear text within the memory
during runtime, The sensitive information (e.g. password) is loaded into
a variable during the authentication phase. The variable is not cleared
after the initial use. It is possible to extract the TortoiseSVN strings
stored in memory and obtain a valid password.




Testing Evidence : Using readily available tools, the variables are
extracted from memory. The password used for authentication remains
within the variable after use.


FYI : We tested this in Tortoise SVN 1.6.15


Please let us know is security issue fixed in the upcoming release.


Thanks & Regards,


Annamalai_at_Arunachalam.A <mailto:Annamalai_at_Arunachalam.A>

Senior Support Engineer


Collabnet Software Private Limited

The Lords|5th Floor|Block-II |1&2 | North Extn. Area
Ekkatuthangal | Guindy | Chennai - 600032 |India


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].

Received on 2011-04-11 14:09:19 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.