Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1701
Vulnerabilities have been identified in Apache Subversion
27 November 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Subversion
Publisher: The Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4558 CVE-2013-4505
Original Bulletin:
http://subversion.apache.org/security/CVE-2013-4505-advisory.txt
http://subversion.apache.org/security/CVE-2013-4558-advisory.txt
Comment: This bulletin contains two (2) The Apache Software Foundation
security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
mod_dontdothat does not restrict requests from serf based clients.
Summary:
========
mod_dontdothat allows you to block update REPORT requests against certain
paths in the repository. It expects the paths in the REPORT request
to be absolute URLs. Serf based clients send relative URLs instead
of absolute URLs in many cases. As a result these clients are not blocked
as configured by mod_dontdothat.
Known vulnerable:
=================
mod_dontdothat 1.4.0 through 1.7.13
mod_dontdothat 1.8.0 through 1.8.4
Note that mod_dontdothat was in contrib until 1.7.3 and contrib is not
included in Subversion source tarballs since 1.7.0, so Subversion 1.7.0
through 1.7.2 did not included mod_dontdothat (it was still available
from the repository tags for those versions under contrib).
Known fixed:
============
mod_dontdothat 1.7.14
mod_dontdothat 1.8.5
Details:
========
mod_dontdothat allows the blocking of certain update REPORT requests based
on the paths of the requests. This is typically done to block requests
against the root of the repository or the tags and branches directories where
there may be large trees and require a large amount of server resources to
fulfill.
Update REPORT requests are used to fulfill requests from the client for the
following commands:
checkout
update
export
diff (when a server URL or revision other than the BASE is specified)
status -u
copy $URL $WC
The request body for the request includes a src-path and sometimes a
dst-path entity. mod_dontdothat matches those paths against the configured
paths to deny. When matching the src-path and dst-path, mod_dontdothat
expects that an absolute URL will be provided. However, serf clients in the
case of the src-path entity only provided a relative path. Relative paths
have been supported by mod_dav_svn since before Subversion 1.0, but neon
based clients never produced them.
When a path is not an absolute URL then mod_dontdothat allowed the request.
As a result a serf client was not blocked by mod_dontdothat. It's possible
for other clients to be modified to avoid the restrictions as well, though
we are unaware of anyone doing so.
Severity:
=========
CVSSv2 Base Score: 2.6
CVSSv2 Base Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P
We consider this to be a low risk vulnerability. mod_dontdothat is not
typically installed. It is not intended or useful as an access control
mechanism. Rather it exists primarily to prevent users unintentionally
making expensive requests against the server.
Clients may be able to use more resources than the server admin may have
expected and planned for based on their configuration. This increased
resource usage may impact performance and the availability of the server.
A server admin who has configured mod_dontdothat would expect matching
update REPORT requests to be blocked, but they will not be with serf based
clients. Serf was added as a http library in Subversion 1.4 as a compile
time option. In 1.5 it was possible to chose it at run time, provided it
had been enabled at compile time. With 1.8 it became the only supported
http library.
As a result clients that can evade these restrictions are in common use and
no special effort is required to do so.
Recommendations:
================
Admins using mod_dontdothat are advised to upgrade to 1.7.14 or 1.8.5.
It may be possible to configure http to disable all requests without an
absolute URL in the update REPORT requests. However, doing so has the
effect of disabling all serf based clients. Given that serf is the only
http library for 1.8.x we do not recommend doing so.
References:
===========
mod_dontdothat (Subversion)
Reported by:
============
Ben Reser, WANdisco
Patches:
========
Patch for Subversion 1.7.x and 1.8.x:
[[[
Index: tools/server-side/mod_dontdothat/mod_dontdothat.c
===================================================================
- --- tools/server-side/mod_dontdothat/mod_dontdothat.c (revision 1541183)
+++ tools/server-side/mod_dontdothat/mod_dontdothat.c (working copy)
@@ -30,6 +30,7 @@
#include <util_filter.h>
#include <ap_config.h>
#include <apr_strings.h>
+#include <apr_uri.h>
#include <expat.h>
@@ -36,6 +37,8 @@
#include "mod_dav_svn.h"
#include "svn_string.h"
#include "svn_config.h"
+#include "svn_path.h"
+#include "private/svn_fspath.h"
module AP_MODULE_DECLARE_DATA dontdothat_module;
@@ -161,6 +164,34 @@
}
}
+/* duplicate of dav_svn__log_err() from mod_dav_svn/util.c */
+static void
+log_dav_err(request_rec *r,
+ dav_error *err,
+ int level)
+{
+ dav_error *errscan;
+
+ /* Log the errors */
+ /* ### should have a directive to log the first or all */
+ for (errscan = err; errscan != NULL; errscan = errscan->prev) {
+ apr_status_t status;
+
+ if (errscan->desc == NULL)
+ continue;
+
+#if AP_MODULE_MAGIC_AT_LEAST(20091119,0)
+ status = errscan->aprerr;
+#else
+ status = errscan->save_errno;
+#endif
+
+ ap_log_rerror(APLOG_MARK, level, status, r,
+ "%s [%d, #%d]",
+ errscan->desc, errscan->status, errscan->error_id);
+ }
+}
+
static svn_boolean_t
is_this_legal(dontdothat_filter_ctx *ctx, const char *uri)
{
@@ -167,20 +198,37 @@
const char *relative_path;
const char *cleaned_uri;
const char *repos_name;
+ const char *uri_path;
int trailing_slash;
dav_error *derr;
- - /* Ok, so we need to skip past the scheme, host, etc. */
- - uri = ap_strstr_c(uri, "://");
- - if (uri)
- - uri = ap_strchr_c(uri + 3, '/');
+ /* uri can be an absolute uri or just a path, we only want the path to match
+ * against */
+ if (uri && svn_path_is_url(uri))
+ {
+ apr_uri_t parsed_uri;
+ apr_status_t rv = apr_uri_parse(ctx->r->pool, uri, &parsed_uri);
+ if (APR_SUCCESS != rv)
+ {
+ /* Error parsing the URI, log and reject request. */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, ctx->r,
+ "mod_dontdothat: blocked request after failing "
+ "to parse uri: '%s'", uri);
+ return FALSE;
+ }
+ uri_path = parsed_uri.path;
+ }
+ else
+ {
+ uri_path = uri;
+ }
- - if (uri)
+ if (uri_path)
{
const char *repos_path;
derr = dav_svn_split_uri(ctx->r,
- - uri,
+ uri_path,
ctx->cfg->base_path,
&cleaned_uri,
&trailing_slash,
@@ -194,7 +242,7 @@
if (! repos_path)
repos_path = "";
- - repos_path = apr_psprintf(ctx->r->pool, "/%s", repos_path);
+ repos_path = svn_fspath__canonicalize(repos_path, ctx->r->pool);
/* First check the special cases that are always legal... */
for (idx = 0; idx < ctx->allow_recursive_ops->nelts; ++idx)
@@ -228,7 +276,20 @@
}
}
}
+ else
+ {
+ log_dav_err(ctx->r, derr, APLOG_ERR);
+ return FALSE;
+ }
+
}
+ else
+ {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
+ "mod_dontdothat: empty uri passed to is_this_legal(), "
+ "module bug?");
+ return FALSE;
+ }
return TRUE;
}
]]]
*****************************************************************************
mod_dav_svn assertion triggered by non-canonical URLs in autoversioning
commits.
Summary:
========
When SVNAutoversioning is enabled via
SVNAutoversioning on
commits can be made by single HTTP requests such as MKCOL and
PUT. If Subversion is built with assertions enabled any such
requests that have non-canonical URLs, such as URLs with a
trailing /, may trigger an assert. An assert will cause the
Apache process to abort.
Known vulnerable:
=================
mod_dav_svn 1.7.11 through 1.7.13
mod_dav_svn 1.8.1 through 1.8.4
Known fixed:
============
mod_dav_svn 1.7.14
mod_dav_svn 1.8.5
Details:
========
Given a repository located at http://example.com/repos the assert can
be triggered by commands like:
curl -X PUT http://example.com/repos/A/
curl -X MKCOL http://example.com/repos/A/../B
The assert happens after the commit has happened in the repository
and will not occur if the commit is rejected.
Severity:
=========
CVSSv2 Base Score: 3.5
CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P
We consider this to be a low risk vulnerability.
The attacker needs to have commit access to the repository to
exploit the vulnerability.
Most Subversion servers do not have autoversioning enabled.
In order for there to be any impact assertions must have been enabled when
mod_dav_svn was built. In this case if assertions are disabled there is no
impact. They are enabled by default on *nix and disabled on Windows.
The assertion will cause the http server process to abort. Apache httpd
servers using a prefork MPM will simply start a new process to replace
the process that died. Servers using threaded MPMs may be processing other
requests in the same process as the process that the attack causes to die.
In either case there is an increased processing impact of restarting a
process and the cost of per process caches being lost.
Recommendations:
================
We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or 1.7.14 or
newer.
Disabling SVNAutoversioning will avoid the problem.
Building Subversion with assertions disabled will avoid the problem.
This can be done using the --disable-debug option to configure on *nix and
by using a Release build profile on Windows.
References:
===========
CVE-2013-4558 (Subversion)
Reported by:
============
Philip Martin, WANdisco
Patches:
========
Patch for Subversion 1.7.x and 1.8.x:
[[[
Index: subversion/mod_dav_svn/repos.c
===================================================================
- --- subversion/mod_dav_svn/repos.c (revision 1539596)
+++ subversion/mod_dav_svn/repos.c (working copy)
@@ -2456,9 +2456,12 @@ get_parent_resource(const dav_resource *resource,
parent->info = parentinfo;
parentinfo->uri_path =
- - svn_stringbuf_create(get_parent_path(resource->info->uri_path->data,
- - TRUE, resource->pool),
- - resource->pool);
+ svn_stringbuf_create(
+ get_parent_path(
+ svn_urlpath__canonicalize(resource->info->uri_path->data,
+ resource->pool),
+ TRUE, resource->pool),
+ resource->pool);
parentinfo->repos = resource->info->repos;
parentinfo->root = resource->info->root;
parentinfo->r = resource->info->r;
]]]
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUpWEfRLndAQH1ShLAQIamg/+KwxcfQflTNulD6gDwGXsNupFbCLZIK6a
79HLffVc8UuAc8RwYNyF36Lx/pZ1lnRg7iOGkD750SD1wR19qO8u/SC7kpUoQ1vI
xYNUmO2cdQAo22/JYzfPbEdmIeHExjqZWtcg0JAjavstzXV2tazVGiQOt5bInSix
m3oGdxSSKmBTzzEbFo7H15AMwPp0ZE29adrRW2DyiE0Q7rfF1NQ2SAfq+lYCug1o
xJrAz4okBwLV0ci4CSniDGy/7+zYHswPtKDoJ9jwr1Kl+oPfEIrb7WMRFXR5C3dt
/hqUQlI0BeScBBpnF6DWiAsnT4FE5l9XQHCxTLI45WuLE6J0IAKAp7SMnc51fdkM
z1Ese/CVL6CY0R7Be/bx7CydkDbTzb+9pVMKkwpFeiniuTexTBuEbUfb+oEz+KNG
AQd28oUfgUB2o9jBnb9BcmfaHgTjfmRShPoQlQmx2maUfr3J8mLbY13RWNoj0FaB
NOlY7+hy1pl+K8IpMKoqF03lMYTU6Amv0lBCRw7iyP+I8A6uO2mkWtTvSxIBDUd7
CUsccabwSH/5YNGA024BFepMAqf5c57tY2pBcdVJItP7/VKlJRvZwNfCsWffjQAq
mglGHL9fySNDcj7jCa57XTeByeEZep7Z2g6E3fqT3McfIcQaRZIDmo8CNZlKQkxc
5mruru7RUn8=
=aI+9
-----END PGP SIGNATURE-----