# Vuln Title: The CollabNet Subversion Edge Management frontend user credential # (hash) leak # # Date: 28.06.2015 # Author: otr # Software Link: https://www.open.collab.net/downloads/svnedge # Vendor: CollabNet # Version: 4.0.11 # Tested on: Fedora Linux # Type: Credential leak # # Risk: Medium # Status: public/fixed # Fixed version: 5.0 Timeline: 2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure Summary: The CollabNet Subversion Edge Management Frontend leaks the unsalted MD5 hash of password of the currently logged in user via a "POST /csvn/user/index" request. An attacker that exploits an XSS or has gained a valid session via other means is able to retrieve the unsalted MD5 hash of the corresponding user and easily crack the hash in order to know the users password. Request 1 (set password) POST /csvn/user/index HTTP/1.1 Host: example.com:4434 [...] id=5&version=15&passwd_change_active=false&passwd=aaaaa&confirmPasswd=&realUserName=XXX&email=YYYY&description=ZZZ&_action_update=Update Response 1: HTTP/1.1 302 Found [...] Location: https://example.com:4434/csvn/user/show/5 Content-Length: 0 Request 2 (generated by clicking edit in the following page; request below the iamge): GET /csvn/user/edit/5 HTTP/1.1 Host: example.com:4434 [...] Cookie: SESSID=xxxxxxxxxxxxxxxxxxxx; Response 2 (leaked hash read from DB and echoed back into password change form): HTTP/1.1 200 OK [...] <input type="password" id="passwd" name="passwd" value="4db81436059d080afe532cc0cbd1cea5"/> Fix proposal: Do not echo the current hash in the database back to the user when changing the password. Only accept passwords as input fields and no hashes. Vendor fix: The leak is plugged.