Project

General

Profile

Actions
Copy link

Defect #5383

closed

Redmine.pm auth vulnerability

Added by Yar Isakov over 14 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
SCM
Target version:
-
Start date:
2010-04-26
Due date:
% Done:

100%

Estimated time:
Resolution:
Fixed
Affected version:
0.9.3

Description

Hello, I found that even if project is non-public, any user can see subversion storage of it through Redmine.pm. Also, if user was authenticated through LDAP, his permission was not checked (so he can checkout and/or commit to it). Here is my patch for these issues

Files

Download all files
redmine.pm.patch (1.05 KB) redmine.pm.patch Yar Isakov, 2010-04-26 15:53
redmine.pm.patch (1.48 KB) redmine.pm.patch fixed fix Yar Isakov, 2010-04-26 21:08
Actions
Copy link
 #1

Updated by Yar Isakov over 14 years ago

I forgot to move declaration of $method out of unless block, here is fixed patch

Actions
Copy link
 #2

Updated by Holger Just over 14 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • Resolution set to Fixed

This was fixed in r3832.

Please send possible future security incidents directly to security (at) redmine (dot) org. Those will then be handled in a more private way to allow responsible disclosure of security incidents.

Actions
Copy link
 #3

Updated by Bennet Pritchard about 13 years ago

SPAM

Actions
Copy link

Also available in: Atom PDF