Ticket #708 (closed defect: worksforme)
Opened 8 years ago
Last modified 8 years ago
Attacker may gain access to restricted source
| Reported by: | patrick+tracprj@… | Owned by: | jonas |
|---|---|---|---|
| Priority: | high | Milestone: | 0.8 |
| Component: | version control/browser | Version: | 0.7.1 |
| Severity: | major | Keywords: | permissions |
| Cc: | |||
| Release Notes: | |||
| API Changes: | |||
Description
If an attacker can guess the path to a source file within a svn repository it is possible for him to view the file without the proper permissions.
For example, say that on your trac site you restrict access so that only the user 'me' can browse source code. Your trac site is at http://www.ATracSite.tld. If there is a file README.txt in the root of your svn repository that is linked to this site, it could be accessed via visiting http://www.ATracSite.tld/file/README.txt even if the user is not authenticated as 'me'.
This may be of diminished concern since an attacker would need to guess the name for every file within your repository that he wishes to access. However, if changesets are visible in the timeline view, it is much easier for an attacker to guess these paths. Stricter security is always a good thing.
Attachments
Change History
comment:1 Changed 8 years ago by cmlenz
- Milestone set to 0.8
- Priority changed from normal to high
- Severity changed from normal to major
comment:2 Changed 8 years ago by cmlenz
- Keywords permissions added
- Resolution set to worksforme
- Status changed from new to closed
I cannot reproduce this with either 0.7.1 or 0.8. In both cases, if I directly try to access a file through Trac without the required FILE_VIEW permission, I get the error page saying "This action requires FILE_VIEW permission."
If you think the problem really exists, please provide more details about configuration and steps to reproduce, and reopen this ticket.