Vigil@nce: Subversion, denial of service of mod_dav_svn
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker can send a LOCK query to the HTTP
Subversion service, in order to stop it.
– Severity: 2/4
– Creation date: 04/03/2011
IMPACTED PRODUCTS
– Debian Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The mod_dav_svn module can be installed on Apache httpd to access
to a Subversion repository. This module is provided with
Subversion.
A web user can request a lock on a file via WebDAV. In this case,
the mod_dav_svn module calls the dav_svn__push_locks() function.
This function calls svn_fs_get_access() to obtain information
about the user.
However, if the user is anonymous, the svn_fs_get_access()
function returns a NULL pointer. The dav_svn__push_locks()
function then dereferences a NULL pointer.
An unauthenticated attacker can therefore send a LOCK query to the
HTTP Subversion service, in order to stop it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Subversion-denial-of-service-of-mod-dav-svn-10422