Vigil@nce - Subversion mod_dav_svn: access via SVNPathAuthz short_circuit
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the SVNPathAuthz directive is configured to "short_circuit",
some access rules of mod_dav_svn are not honored.
Severity: 2/4
Creation date: 04/10/2010
DESCRIPTION OF THE VULNERABILITY
The mod_dav_svn module is provided with Subversion. It is
installed on Apache httpd, in order to offer a remote access to
the repository.
The SVNPathAuthz directive of mod_dav_svn can be configured to
"short_circuit", in order to indicate to use only the Subversion
rules file. This is not the default configuration.
The Subversion rules file for example contains (simplified):
[/] ... (rule for the root)
[/dir] ... (rules for a directory)
[MyRepot:/dir] ... (rules for a directory of the repository)
These rules should be applied in the above order. However, the
third rule is never applied because it contains a repository name.
When the SVNPathAuthz directive is configured to "short_circuit",
some access rules of mod_dav_svn are therefore not honored.
Depening on the configuration, an attacker can thus gain a read or
write access.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Subversion-mod-dav-svn-access-via-SVNPathAuthz-short-circuit-9997