lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 28 Jun 2015 20:35:09 +0200
From: Oliver-Tobias Ripka <otr@...kcay.de>
To: undisclosed-recipients: ;
Subject: CollabNet Subversion Edge Password Hash Leak

# Vuln Title: The CollabNet Subversion Edge Management frontend user credential
# (hash) leak
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Credential leak
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend leaks the unsalted MD5 hash of
password of the currently logged in user via a "POST /csvn/user/index" request.
An attacker that exploits an XSS or has gained a valid session via other means
is able to retrieve the unsalted MD5 hash of the corresponding user and easily
crack the hash in order to know the users password.

Request 1 (set password)
	POST /csvn/user/index HTTP/1.1
	Host: example.com:4434
	[...]
	id=5&version=15&passwd_change_active=false&passwd=aaaaa&confirmPasswd=&realUserName=XXX&email=YYYY&description=ZZZ&_action_update=Update

Response 1:
	HTTP/1.1 302 Found
	[...]
	Location: https://example.com:4434/csvn/user/show/5
	Content-Length: 0

Request 2 (generated by clicking edit in the following page; request below the iamge): 
	GET /csvn/user/edit/5 HTTP/1.1
	Host: example.com:4434
	[...]
	Cookie: SESSID=xxxxxxxxxxxxxxxxxxxx;

Response 2 (leaked hash read from DB and echoed back into password change form):
	HTTP/1.1 200 OK
	[...]
	<input type="password" id="passwd" name="passwd" value="4db81436059d080afe532cc0cbd1cea5"/>

Fix proposal:

Do not echo the current hash in the database back to the user when changing the
password. Only accept passwords as input fields and no hashes.

Vendor fix:

The leak is plugged.

Powered by blists - more mailing lists