Vigil@nce - Apache Subversion: denial of service via mod_dav_svn
August 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a query using a revision root, which triggers
an assertion error in Apache Subversion mod_dav_svn, in order to
trigger a denial of service.
Impacted products: Subversion, Fedora, MBS, openSUSE
Severity: 2/4
Creation date: 25/07/2013
DESCRIPTION OF THE VULNERABILITY
The mod_dav_svn module is used to process Subversion operations
via Apache httpd.
However, the get_parent_path() and get_parent_resource() functions
of the mod_dav_svn/repos.c file do not correctly canonicalize
access paths. The usage of a revision root (which has no parent)
then triggers an assertion, which stops the service.
These functions are reachable through:
– a COPY query, on HTTPD 2.2.25/2.4.5+
– a MOVE HTTP query, on any Apache HTTPD version
– a COPY HTTP query, on any Apache HTTPD version
– a DELETE HTTP query, on any Apache HTTPD version
An attacker can therefore use a query using a revision root, which
triggers an assertion error in Apache Subversion mod_dav_svn, in
order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-Subversion-denial-of-service-via-mod-dav-svn-13165