#708 closed defect (worksforme)
Attacker may gain access to restricted source
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | version control/browser | Version: | 0.7.1 |
| Severity: | major | Keywords: | permissions |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
If an attacker can guess the path to a source file within a svn repository it is possible for him to view the file without the proper permissions.
For example, say that on your trac site you restrict access so that only the user 'me' can browse source code. Your trac site is at http://www.ATracSite.tld. If there is a file README.txt in the root of your svn repository that is linked to this site, it could be accessed via visiting http://www.ATracSite.tld/file/README.txt even if the user is not authenticated as 'me'.
This may be of diminished concern since an attacker would need to guess the name for every file within your repository that he wishes to access. However, if changesets are visible in the timeline view, it is much easier for an attacker to guess these paths. Stricter security is always a good thing.
Attachments (0)
Change History (3)
comment:1 by , 20 years ago
| Milestone: | → 0.8 |
|---|---|
| Priority: | normal → high |
| Severity: | normal → major |
comment:2 by , 20 years ago
| Keywords: | permissions added |
|---|---|
| Resolution: | → worksforme |
| Status: | new → closed |
I cannot reproduce this with either 0.7.1 or 0.8. In both cases, if I directly try to access a file through Trac without the required
FILE_VIEWpermission, I get the error page saying "This action requires FILE_VIEW permission."If you think the problem really exists, please provide more details about configuration and steps to reproduce, and reopen this ticket.