Vulnerability in Gitorious
84 views
Skip to first unread message
Marius Mårnes Mathiesen
Feb 6, 2013, 4:00:29 AM2/6/13
to gito...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
* Vulnerability in the reset password functionality in Gitorious
There is a vulnerability in the reset password functionality in
Gitorious.
The root cause for this vulnerability is the way MySQL performs
automatic conversion between different data types. By carefully
crafting an XML payload and passing that to Gitorious' reset
password function, an attacker would be able to gain access to
accounts belonging to users who have recently requested a password
reset for their account.
All users should upgrade their server immediately.
* Releases
We have just released Gitorious v2.4.7, which resolves this issue.
* Workarounds
If you're unable to upgrade to the latest released version of
Gitorious, you should alter the file
app/controllers/users_controller.rb like so:
- - - @user = User.find_by_password_key(params[:token])
+ @user = User.find_by_password_key(params[:token].to_s)
* Credits
Although this vulnerability was discovered by the Gitorious team,
we started looking into this issue after reading this blog post:
http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
A big thanks to joernchen of phenoelit for discovering this
vulnerability.
--
Marius Mathiesen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQEcBAEBAgAGBQJREhsfAAoJEE38ZdArT3hktrIH/3NDQ0duvRlh7h0MNMawdBDt
fxLnRIX6CuoQSfFe0o4+Ek0OoocixO0GQJ18arVi2y9ALdl1cWN42d1gFsR602FU
5lvvxrlK41VrmA3xUSiyyjATNndNqLXSkKycI8uWhdRDxfvwm2k7UFN+8OLYmuoI
pHbvbHoHPdkEHLH8pchFWeIbSseTyEXZoRLGJZXFL7r4Ywz6ybmwffECs+km77ip
byPJv8aV5NI4U3SG4qNOiHK91z3WgHM/PpdgpqwTBgV5Lc+VMXZbsQLwKveV7J4X
I3cv59yjYm/2IPmRuTND5TSasTETAJcveVrPDcDu3O3mlbuewIaDC1WXQJtWQYw=
=nFkR
-----END PGP SIGNATURE-----
Hash: SHA1
* Vulnerability in the reset password functionality in Gitorious
There is a vulnerability in the reset password functionality in
Gitorious.
The root cause for this vulnerability is the way MySQL performs
automatic conversion between different data types. By carefully
crafting an XML payload and passing that to Gitorious' reset
password function, an attacker would be able to gain access to
accounts belonging to users who have recently requested a password
reset for their account.
All users should upgrade their server immediately.
* Releases
We have just released Gitorious v2.4.7, which resolves this issue.
* Workarounds
If you're unable to upgrade to the latest released version of
Gitorious, you should alter the file
app/controllers/users_controller.rb like so:
- - - @user = User.find_by_password_key(params[:token])
+ @user = User.find_by_password_key(params[:token].to_s)
* Credits
Although this vulnerability was discovered by the Gitorious team,
we started looking into this issue after reading this blog post:
http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
A big thanks to joernchen of phenoelit for discovering this
vulnerability.
--
Marius Mathiesen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQEcBAEBAgAGBQJREhsfAAoJEE38ZdArT3hktrIH/3NDQ0duvRlh7h0MNMawdBDt
fxLnRIX6CuoQSfFe0o4+Ek0OoocixO0GQJ18arVi2y9ALdl1cWN42d1gFsR602FU
5lvvxrlK41VrmA3xUSiyyjATNndNqLXSkKycI8uWhdRDxfvwm2k7UFN+8OLYmuoI
pHbvbHoHPdkEHLH8pchFWeIbSseTyEXZoRLGJZXFL7r4Ywz6ybmwffECs+km77ip
byPJv8aV5NI4U3SG4qNOiHK91z3WgHM/PpdgpqwTBgV5Lc+VMXZbsQLwKveV7J4X
I3cv59yjYm/2IPmRuTND5TSasTETAJcveVrPDcDu3O3mlbuewIaDC1WXQJtWQYw=
=nFkR
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages