[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Different behaviour of storing plaintext passwords under Unix - svn log differes from svn co/up

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sun, 23 Nov 2014 00:18:02 +0000

Branko Čibej wrote on Sat, Nov 22, 2014 at 08:38:29 +0100:
> There is a possible attack vector through that: Since Subversion was
> told to trust the stored certificate, one can imagine a situation where
> an attacker (a) subverts IP routing and/or DNS to redirect your
> connections to their own server, with a different certificate; (b)
> breaks in to your, and (c) every other, client machine to change their
> stored server certs. However, at least (c) unlikely.
>
> OTOH, since "unlikely" is not the same as "can't happen", we should
> perhaps consider not storing the server cert, too, if plaintext password
> storage is disabled.
>

Whether or not you store the cert simply doesn't matter if your attacker
controls the contents of ~/.subversion/auth/. The way to deal with a
poisoned cache is to nuke it or disregard it.

For example, 'rm -rf ~/.subversion' or '--config-dir=$(mktemp -d)'.

Daniel

> P.S.: Compare the above scenario with the far more simple and likely one
> where the attacker breaks into your server and steals it wholesale,
> including the server's private key.
Received on 2014-11-23 01:20:45 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.