[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Security flaw: subversion stores passwords by default

From: Hadmut Danisch <hadmut_at_danisch.de>
Date: Wed, 19 Mar 2008 23:58:39 +0100

Hi,

I just installed a subversion repository together with webdav and an
apache server, protected
by password authentication over LDAP and HTTPS.

Accessing this repository over HTTPS worked perfectly except for a
severe security
problem:

Unless turned off in the users (or common) configuration file,
subversion stores the password
in plain textfiles. Since the web access password is the same as the
common account password
used for several services, unexperienced users compromise their own
passwords without even
realizing it.

Although not a bug in the common sense, this is a severe security flaw
by design.

I would strongly recommend to modify this behavior and to never ever let
subversion store
any password by itself. If the password should be stored locally, then
the user should do
it himself or at least give an option to do so.

And, btw., would be nice to support the https://user@server/... syntax
or a way to take the
user from environment or configuration.

regards
Hadmut

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-19 23:58:46 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.