Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) could leak the contents of files configured to be unreadable. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users. There are no known instances of this problem being observed in the wild, but an exploit has been tested. Known vulnerable: ================= Subversion HTTPD servers >= 1.5.0 and <= 1.6.16 Known fixed: ============ Subversion 1.6.17 svnserve (any version) is not vulnerable Details: ======== Subversion Apache/mod_dav_svn servers may be configured to provide path-based access control for files and directories stored in the Subversion repository. In the general case, mod_dav_svn asks access questions ("Does the user who is requesting information from this server have permission to read SOME-PATH in SOME-REVISION?") of Apache's authorization subsystem using Apache's internal subrequest mechanism. Apache partially handles these subrequests, returning either a successful or an unsuccessful status code after its authorization subsystem has determined whether read access to the requested resource URL has been granted or denied, respectively. In certain circumstances, mod_dav_svn improperly generates the resource URLs that it uses in these subrequests, resulting in Apache's authorization subsystem answering the access question for the incorrect resource. Specifically, this leakage is limited to: * files and directories which are themselves configured to be unreadable, but * which are children (immediate or otherwise) of a readable directory which itself was copied or moved from an unreadable path, and * which were present in that directory at the time of its copy or move. * Finally, the attacker must be using mod_dav_svn's "replay" REPORT mechanism to access the extended history of the repository. NOTE: This vulnerability is not triggerable if mod_dav_svn is configured with the "SVNPathAuthz short_circuit" httpd.conf directive. Unfortunately, an independent denial of service vulnerability (CVE-2011-1783) prevents the use of this approach as a suitable workaround. Severity: ========= File contents of privileged documents could be leaked in full to users who shouldn't be permitted to see them. NOTE: We believe this leak is limited to a specific revision of those documents -- the revision in which their parent directory was copied from an unreadable location -- but have not verified as much. Recommendations: ================ We recommend all users to upgrade to Subversion 1.6.17. Users of Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html References: =========== CVE-2011-1921 (Subversion) Reported by: ============ Kamesh Jayachandran, CollabNet, Inc.