I was looking for an SVN provider for a personal project. One of the providers that I found (will not disclose the name) had a very nice offer and some extra features compared to the others. So, I started playing with their website and SVN. By mistake, I found that only the first 8 characters of the password are validated when logging in to the SVN repository. What does that mean? It means that if my password is “MySuperStrongPassword” then I can login with any of the following:
- “MySuperS“,
- “MySuperSXX”,
- “MySuperSUselsessCharacters”
because only the bold part gets validated making 8+ characters passwords as strong as those with 8 characters.
Immediately, I sent a message to customer service:
Dear sir/madam,
[...]If I set a password with more than 8 characters then only the first 8 are validated at SVN login, making possible to access the repository by just using the first 8 characters of my password.
[... the rest of the message with details and repro steps]
They have a good (but useless, as will be seen soon) customer services. I got the response after 3 hours:
Hi Victor,
This is not so much an issue with our Subversion servers its more a feature of apache bassed systems.
I’m interested to understand why you think this is a security issue though.
Please let me know if you need any further assistance?
Cheers,[...]
Do I need to add any more comments? WTF? I explained the guy why I think that’s a big issue and he closed the thread without any extra comments.
The sad part is that a few hundred companies pick them, every week, for hosting projects (that’s what their website says)…
(+1 rating, 1 votes)
I love that feature, I really do, but somehow, I prefer software without it.
And and dude, please tell: which was it?
BTW: MySuperS, not MySuperP. ;)
That’s insane. This is no feature of Apache – this is more of a misconfiguration.
@Mictateur: I fixed the typo. Thanks!
@Dorin: Totally agree