[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CollabNet Subversion Edge downloadHook local file inclusion

# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "filename" parameter of the "downloadHook" action
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0


2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure


The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "filename" parameter of the
"downloadHook" action


	Example URL:

Fix proposal:

Remove feature or santizes the "filename" parameter so that no path traversals
and arbitrary file inclusions are possible.

Vendor fix:

[...] now allow only showing hooks/logs within the intended directories.