You are here

V-170: Apache Subversion Hook Scripts Arbitrary Command Injection Vulnerability

June 4, 2013 - 12:17am

Addthis

PROBLEM:

Apache Subversion Hook Scripts Arbitrary Command Injection Vulnerability

PLATFORM:

Apache Subversion 1.x

ABSTRACT:

A vulnerability has been reported in Apache Subversion.

REFERENCE LINKS:

Apache Original Advisory
Secunia Advisory SA53727
CVE-2013-2088

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The vulnerability is caused due to an input validation error in the svn-keyword-check.pl hook script while processing filenames and can be exploited to inject and execute arbitrary shell commands via a specially crafted request.

Successful exploitation requires that contrib scripts are used on the server.

The vulnerability is reported in versions 1.6.22 and prior and versions 1.7.10 and prior.

IMPACT:

The vulnerability  can be exploited by malicious users to compromise a vulnerable system.

SOLUTION:

Users to apply the patch.

Addthis