On Sun, Sep 20, 2020 at 4:44 PM Vibin Bruno <vbruno165_at_gmail.com> wrote:
> Hi Team,
>
> Our security team has raised below vulnerabilities in SVN.
>
> 1. Concurrent login allowed in SVN console - same user can login to the
> console same time using two machines.
>
> 2. Brute Force attack - user should be locked after 3 incorrect login
> attempts.
>
> Kindly help us in resolving the above vulnerabilities.
>
This is not the correct list to report these "problems".
SVN does not have a web user interface or console, so you are likely using
some other SVN management product and need to report this there. That said,
I would say both of these are more opinion and taste than vulnerabilities.
I manage a SVN related product called SVN Edge and I would not consider
"fixing" either of these issues if that is the product you are using. The
first one is just straight up not a problem and I would never entertain it
as one. The second one is somewhat a problem though "3" is an arbitrary
number and there are a lot of ways to deal with brute force login attempts.
For example, SVN Edge throttles the login attempts making it impractical to
brute force attack a password.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2020-09-22 22:44:17 CEST