Jun 11th, 2011
I was looking for an SVN provider for a personal project. One of the providers that I found (will not disclose the name) had a very nice offer and some extra features compared to the others. So, I started playing with their website and SVN. By mistake, I found that only the first 8 characters of the password are validated when logging in to the SVN repository. What does that mean? It means that if my password is “MySuperStrongPassword” then I can login with any of the following:
because only the bold part gets validated making 8+ characters passwords as strong as those with 8 characters.
Immediately, I sent a message to customer service:
[...]If I set a password with more than 8 characters then only the first 8 are validated at SVN login, making possible to access the repository by just using the first 8 characters of my password.
[... the rest of the message with details and repro steps]
They have a good (but useless, as will be seen soon) customer services. I got the response after 3 hours:
This is not so much an issue with our Subversion servers its more a feature of apache bassed systems.
I’m interested to understand why you think this is a security issue though.
Please let me know if you need any further assistance?
Do I need to add any more comments? WTF? I explained the guy why I think that’s a big issue and he closed the thread without any extra comments.
The sad part is that a few hundred companies pick them, every week, for hosting projects (that’s what their website says)…