Edgewall Software
Modify

Opened 15 years ago

Closed 15 years ago

Last modified 7 years ago

#708 closed defect (worksforme)

Attacker may gain access to restricted source

Reported by: patrick+tracprj@… Owned by: Jonas Borgström
Priority: high Milestone:
Component: version control/browser Version: 0.7.1
Severity: major Keywords: permissions
Cc: Branch:
Release Notes:
API Changes:

Description

If an attacker can guess the path to a source file within a svn repository it is possible for him to view the file without the proper permissions.

For example, say that on your trac site you restrict access so that only the user 'me' can browse source code. Your trac site is at http://www.ATracSite.tld. If there is a file README.txt in the root of your svn repository that is linked to this site, it could be accessed via visiting http://www.ATracSite.tld/file/README.txt even if the user is not authenticated as 'me'.

This may be of diminished concern since an attacker would need to guess the name for every file within your repository that he wishes to access. However, if changesets are visible in the timeline view, it is much easier for an attacker to guess these paths. Stricter security is always a good thing.

Attachments (0)

Change History (3)

comment:1 by Christopher Lenz, 15 years ago

Milestone: 0.8
Priority: normalhigh
Severity: normalmajor

comment:2 by Christopher Lenz, 15 years ago

Keywords: permissions added
Resolution: worksforme
Status: newclosed

I cannot reproduce this with either 0.7.1 or 0.8. In both cases, if I directly try to access a file through Trac without the required FILE_VIEW permission, I get the error page saying "This action requires FILE_VIEW permission."

If you think the problem really exists, please provide more details about configuration and steps to reproduce, and reopen this ticket.

comment:3 by Christian Boos, 7 years ago

Milestone: 0.8

(clearing report:35)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.