Security Issue: If repository observer role is enabled for the 'guest' user, an
invalid user is able to deploy to that repository
---------------------------------------------------------------------------------------------------------------------------------
Key: MRM-967
URL: http://jira.codehaus.org/browse/MRM-967
Project: Archiva
Issue Type: Bug
Components: Users/Security, WebDAV interface
Affects Versions: 1.1.2
Reporter: Maria Odea Ching
Priority: Critical
Steps to reproduce (using repository 'snapshots'):
1. Configure the <distributionManagement> of your project's pom to deploy your
project to 'snapshots' repository, as follows:
<distributionManagement>
<repository>
<id>releases</id>
<name>Releases Repository</name>
<layout>default</layout>
<url>dav:http://localhost:8080/archiva/repository/releases/</url>
</repository>
<snapshotRepository>
<id>snapshots</id>
<uniqueVersion>true</uniqueVersion>
<name>Snapshots Repository</name>
<layout>default</layout>
<url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
</snapshotRepository>
</distributionManagement>
2. Enable the 'snapshots' repository observer role for 'guest' user
3. Add an invalid user credentials in your settings.xml for 'snapshots'
repository, as shown below:
<server>
<id>snapshots</id>
<username>invalidusername</username>
<password>password</password>
</server>
4. Execute 'mvn clean deploy' in your project.
Alternatively, you can also use the deploy-file goal to replicate the issue so
you won't need to configure your pom (ex. 'mvn deploy:deploy-file
-Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll
-DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots
-Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
