[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security flaw: subversion stores passwords by default

From: Ryan Schmidt <subversion-2008a_at_ryandesign.com>
Date: Wed, 19 Mar 2008 19:25:30 -0500

On Mar 19, 2008, at 19:02, Hadmut Danisch wrote:

> Blair Zajac schrieb:
>> See
>> http://subversion.tigris.org/faq.html#plaintext-passwords
>> http://svnbook.red-bean.com/nightly/en/
>> svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache
> Thanks, but I am pretty much aware of this.
> This does not make it any less insecure. On the contrary: This is
> insecure by design. If many people have
> complained before, and the authors still intentionally keep such
> flaws, what is their idea of security?
> Just read that:
> " Trust your OS to protect data on disk."
> That's nonsense. What do they believe why passwords stored by the
> operating system are usually hashed and salted?
> What makes them believe that exactly that OS will be in place all
> time?
> That sort of approach is really silly. If you can't do it in a
> secure way, than don't do it at all (at least not without explicit
> user consent).
> The really bad thing about this is that it not just compromises
> subversion, but can compromise the security of the whole LAN.
> Absolutely bad design.

The Subversion client needs to provide the plain text password to the
Apache server during authentication. Suggest a way for this to be
accomplished without storing the plain text password on the client's

Encrypting the password on the client's disk is not a solution unless
the Subversion client can also decrypt the password again so it can
be provided to Apache in plain text. And if the Subversion client,
whose source is public, can do this, then any other software can do
this too so it is no more secure than storing the plain text password
on disk.

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-20 01:26:17 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.