1234- / gitblit

Automatically exported from code.google.com/p/gitblit
Apache License 2.0
1 stars 0 forks source link

CSRF Vulnerability #499

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Description:
    GitBlit is susceptible to CSRF attacks. Specifically one can form a url that if clicked would delete a repository.
Steps to reproduce the problem:
    Prerequisite: have a local html page with the delete url for a repository.
    (e.g. <a href="https://<server>/?wicket:interface=:<repoid>:editForm:delete::ILinkListener::">Click Me</a>)
1.  Open a browser
2.  Login to GitBlit
3.  In another window or tab of the same browser open the local html page.
4.  Click the link with the delete url for a repository.
5.  Observe the repository is gone.
Expected Output:
    An error saying it detected a csrf attack and the repository is still there.
Actual Output:
    The repository is deleted.
Environment:
    Gitblit Version 1.6.0 running on rhel 6 / tomcat 7 / apache httpd 2.2 with proxy ajp

Original issue reported on code.google.com by 1988pors...@gmail.com on 5 Sep 2014 at 1:47

GoogleCodeExporter commented 9 years ago
Ugh.  This one is my least favorite.  Not sure how best to tackle it.

Thanks for taking the time to audit Gitblit.

Original comment by James.Mo...@gmail.com on 5 Sep 2014 at 11:23

GoogleCodeExporter commented 9 years ago
Authrization check before execution might help

Original comment by srb...@gmail.com on 9 Sep 2014 at 1:04

GoogleCodeExporter commented 9 years ago
Can you send a single use csrf token across as a parameter of the delete link? 
Which would be checked against the csrf value set in the session when the link 
was rendered for a user.

Original comment by 1988pors...@gmail.com on 12 Sep 2014 at 9:42

GoogleCodeExporter commented 9 years ago
I can do that for now.  Long-term Gitblit is trying to go stateless (& 
session-less) as much as possible so eventually a different strategy will need 
to be employed.

Original comment by James.Mo...@gmail.com on 12 Sep 2014 at 1:29