CollabNet Subversion Edge downloadHook local file inclusion

Type securityvulns
Reporter Securityvulns
Modified 2015-07-05T00:00:00


Vuln Title: Local file inclusion in CollabNet Subversion Edge Management

Frontend via logfile "filename" parameter of the "downloadHook" action

Date: 28.06.2015

Author: otr

Software Link:

Vendor: CollabNet

Version: 4.0.11

Tested on: Fedora Linux

Type: Local file inclusion

Risk: Medium

Status: public/fixed

Fixed version: 5.0


2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure


The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "filename" parameter of the "downloadHook" action


Example URL:

Fix proposal:

Remove feature or santizes the "filename" parameter so that no path traversals and arbitrary file inclusions are possible.

Vendor fix:

[...] now allow only showing hooks/logs within the intended directories.