[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Credentials held unencrypted in memory during runtime

From: Annamalai <annamalai_at_collab.net>
Date: Mon, 11 Apr 2011 17:38:56 +0530

Hi,

 

While we test a scenario we found the TortoiseSVN client application
holds the username and password strings in clear text within the memory
during runtime, The sensitive information (e.g. password) is loaded into
a variable during the authentication phase. The variable is not cleared
after the initial use. It is possible to extract the TortoiseSVN strings
stored in memory and obtain a valid password.

 

 

 

Testing Evidence : Using readily available tools, the variables are
extracted from memory. The password used for authentication remains
within the variable after use.

 

FYI : We tested this in Tortoise SVN 1.6.15

 

Please let us know is security issue fixed in the upcoming release.

 

Thanks & Regards,

 

Annamalai_at_Arunachalam.A <mailto:Annamalai_at_Arunachalam.A>

Senior Support Engineer

 

Collabnet Software Private Limited

The Lords|5th Floor|Block-II |1&2 | North Extn. Area
Ekkatuthangal | Guindy | Chennai - 600032 |India

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718832

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].

image001.jpg
image003.png
Received on 2011-04-11 14:09:19 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.