Vigil@nce - Apache Subversion: denial of service via MKACTIVITY
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send a special MKACTIVITY/PROPFIND query to Apache
Subversion mod_dav_svn, in order to force it to dereference a NULL
pointer, which stops it.
Impacted products: Subversion
Severity: 2/4
Creation date: 06/03/2013
DESCRIPTION OF THE VULNERABILITY
The mod_dav_svn module is used to process Subversion operations on
Apache httpd.
The MKACTIVITY command creates a development task (transaction).
However, if this command is called on a malicious path, and is
then followed by a PROPFIND command, the svn_fs_file_length()
function dereferences a NULL pointer.
An attacker can therefore send a special MKACTIVITY/PROPFIND query
to Apache Subversion mod_dav_svn, in order to force it to
dereference a NULL pointer, which stops it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-Subversion-denial-of-service-via-MKACTIVITY-12483