I was looking for an SVN provider for a personal project. One of the providers that I found (will not disclose the name) had a very nice offer and some extra features compared to the others. So, I started playing with their website and SVN. By mistake, I found that only the first 8 characters of the password are validated when logging in to the SVN repository. What does that mean? It means that if my password is “MySuperStrongPassword” then I can login with any of the following:

  • MySuperS“,
  • MySuperSXX”,
  • MySuperSUselsessCharacters”

because only the bold part gets validated making 8+ characters passwords as strong as those with 8 characters.

Immediately, I sent a message to customer service:

Dear sir/madam,

[...]If I set a password with more than 8 characters then only the first 8 are validated at SVN login, making possible to access the repository by just using the first 8 characters of my password.

[... the rest of the message with details and repro steps]

They have a good (but useless, as will be seen soon) customer services. I got the response after 3 hours:

Hi Victor,

This is not so much an issue with our Subversion servers its more a feature of apache bassed systems.

I’m interested to understand why you think this is a security issue though.

Please let me know if you need any further assistance?

Cheers,[...]

Do I need to add any more comments? WTF? I explained the guy why I think that’s a big issue and he closed the thread without any extra comments.

The sad part is that a few hundred companies pick them, every week, for hosting projects (that’s what their website says)…

3 comments

  1. Mictateur on June 12th, 2011 at 12:13 am

    I love that feature, I really do, but somehow, I prefer software without it.

    And and dude, please tell: which was it?

    BTW: MySuperS, not MySuperP. ;)

  2. Dorin on June 12th, 2011 at 5:44 am

    That’s insane. This is no feature of Apache – this is more of a misconfiguration.

  3. Victor on June 12th, 2011 at 9:48 am

    @Mictateur: I fixed the typo. Thanks!
    @Dorin: Totally agree

Leave a comment

Please write the comment in English!

Allowed HTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>