On 11.04.2011 14:08, Annamalai wrote:
> While we test a scenario we found the TortoiseSVN client application
> holds the username and password strings in clear text within the memory
> during runtime, The sensitive information (e.g. password) is loaded into
> a variable during the authentication phase. The variable is not cleared
> after the initial use. It is possible to extract the TortoiseSVN strings
> stored in memory and obtain a valid password.
> *Testing Evidence : *Using readily available tools, the variables are
> extracted from memory. The password used for authentication remains
> within the variable after use.
> *FYI : We tested this in Tortoise SVN 1.6.15*
> Please let us know is security issue fixed in the upcoming release.
You have a very strange definition of "security issue".
If someone is able to read the memory from a process, then that someone
has all the privileges necessary to do much more on that system. Reading
a password is in such a situation the least of your problems.
The security issue would be that this someone can actually read the
process memory from another process.
Here are a few pointers for you:
So next time, don't cry wolf unless your absolutely sure there's a wolf.
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-11 18:48:45 CEST