I was looking for an SVN provider for a personal project. One of the providers that I found (will not disclose the name) had a very nice offer and some extra features compared to the others. So, I started playing with their website and SVN. By mistake, I found that only the first 8 characters of the password are validated when logging in to the SVN repository. What does that mean? It means that if my password is “MySuperStrongPassword” then I can login with any of the following:

  • "MySuperS",
  • "MySuperSXX",
  • "MySuperSUselsessCharacters"

because only the bold part gets validated making 8+ characters passwords as strong as those with 8 characters.

Immediately, I sent a message to customer service:

Dear sir/madam,

[…]If I set a password with more than 8 characters then only the first 8 are validated at SVN login, making possible to access the repository by just using the first 8 characters of my password.

[…] the rest of the message with details and repro steps]

They have a good (but useless, as will be seen soon) customer services. I got the response after 3 hours:

Hi Victor,

This is not so much an issue with our Subversion servers its more a feature of apache bassed systems.

I’m interested to understand why you think this is a security issue though.

Please let me know if you need any further assistance? Cheers, […]

Do I need to add any more comments? WTF? I explained the guy why I think that’s a big issue and he closed the thread without any extra comments.

The sad part is that a few hundred companies pick them, every week, for hosting projects (that’s what their website says)…