PGYER / codefever

CodeFever 是完全免费开源的 Git 代码托管服务，支持一行命令安装到自己服务器！CodeFever Community Edition (A Self-hosted Git Services)!

https://codefever.cn

MIT License

2.69k stars 281 forks source link

The Codefever has a Remote Command Execute Vulnerability In latest version #189

Closed Boogipop closed 10 months ago

Boogipop commented 10 months ago

Vul Path

/application/controllers/reposity.php /application/controllers/repository_model.php

Exploit Reproduction

Attackers can gain shell access to the server by creating a custom email account. First, register a malicious account. Then, we just need to create a repository group and a repository. Next, access the "Create Merge Request" interface. Ultimately, the malicious code is executed. we can get an reverse_shell finally

Vul Point

Useless Regex Pattern leads to RCE

cubicwork commented 10 months ago

@Boogipop thx for warning, and we would fix this issue soon.