The CollabNet Subversion Edge Management Frontend leaks the unsalted MD5 hash of password of the currently logged in user via a "POST /csvn/user/index" request. An attacker that exploits an XSS or has gained a valid session via other means is able to retrieve the unsalted MD5 hash of the corresponding user and easily crack the hash in order to know the users password. Fixed in version 5.0.
1d88ce5b1e015850cee7a266039f0317d57a1d11a0b2b10402aefdd630149ba1
# Vuln Title: The CollabNet Subversion Edge Management frontend user credential
# (hash) leak
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Credential leak
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management Frontend leaks the unsalted MD5 hash of
password of the currently logged in user via a "POST /csvn/user/index" request.
An attacker that exploits an XSS or has gained a valid session via other means
is able to retrieve the unsalted MD5 hash of the corresponding user and easily
crack the hash in order to know the users password.
Request 1 (set password)
POST /csvn/user/index HTTP/1.1
Host: example.com:4434
[...]
id=5&version=15&passwd_change_active=false&passwd=aaaaa&confirmPasswd=&realUserName=XXX&email=YYYY&description=ZZZ&_action_update=Update
Response 1:
HTTP/1.1 302 Found
[...]
Location: https://example.com:4434/csvn/user/show/5
Content-Length: 0
Request 2 (generated by clicking edit in the following page; request below the iamge):
GET /csvn/user/edit/5 HTTP/1.1
Host: example.com:4434
[...]
Cookie: SESSID=xxxxxxxxxxxxxxxxxxxx;
Response 2 (leaked hash read from DB and echoed back into password change form):
HTTP/1.1 200 OK
[...]
<input type="password" id="passwd" name="passwd" value="4db81436059d080afe532cc0cbd1cea5"/>
Fix proposal:
Do not echo the current hash in the database back to the user when changing the
password. Only accept passwords as input fields and no hashes.
Vendor fix:
The leak is plugged.