Welcome Guest | Login
Vulnerability in Subversion
Date:
09/13/2008 Severity:
Med (Arbitrary code execution)Affected Systems:
Known vulnerable: Subversion ≤ 1.4.4 (including clients like TortoiseSVN)
Known fixed: Subversion ≥ 1.4.5
Summary:
Subversion fails to validate that filenames obtained from the
Subversion server during svn checkout do not
contain ..\, allowing the creation of files
outside of the checkout directory. Users on operating
systems where \ is not used to separate directory
paths can commit files with ..\ in the path.
How to Reproduce:
On a UNIX system, create a file "..\DIRNAME/exploit.exe"
and check it into a repository on the top level. Then
checkout that repository from a W32 system. The file will
appear outside of the checkout directory and instead under "DIRNAME".
Impact:
An adversary with write access to Subversion repositories
can create arbitrary files on the victim's machines.
This could be used to install code on the system, including
placing executable code into the startup sequence causing
their execution.
Patches:
A patch for the vulnerability is attached to the original advisory.| Attachment | Size |
|---|---|
| dotdotfix.txt | 1.3 KB |
- Login to post comments