Closed YYHYlh closed 2 years ago
Excellent. Thank you. Just for me to know, what ways did you try to contact the developers that were unsuccessful?
Excellent. Thank you. Just for me to know, what ways did you try to contact the developers that were unsuccessful?
I found some contacts on your official website and in the Github Readme at
I think you guys could update your latest contact information, preferably using a private email for receiving some of the more private security questions.
@YYHYlh , would you like to review and test the pull request before a release?
@YYHYlh , would you like to review and test the pull request before a release?
I don't think it's needed anymore, because I'm not quite sure how the project compiles. But I can't inject into the config file anymore without using the characters you disabled, and I think that part of the code is already safe. I will test again when your new version is released
I have merged the fix into the master branch, which means it will be built with the next nightly build. Should you happen to use Docker images, you can use the latest nightly Docker image to test the fix. Otherwise you could use the artefact attached to the last nightly build.
I have merged the fix into the master branch, which means it will be built with the next nightly build. Should you happen to use Docker images, you can use the latest nightly Docker image to test the fix. Otherwise you could use the artefact attached to the last nightly build.
I think the patch has fixed the vulnerability successfully. I will contact you promptly if I find any new vulnerabilities after that.
I met an issue today when I was trying to login Gitblit 1.9.2 using a local admin account. It failed login and prompt me invalid user name or password. Then I used another windows domain account logged in which was granted admin privilege. Then I found that the user list is empty. I logged into the server where gitblit is installed, and found that the users.conf is empty. I don't know why. Just found some exception in log about failed to read users.conf. I just upgraded to 1.9.3 right now. Hope this issue will never happen again. Please refer to below log: 2022-07-20 14:35:58 [ERROR] Failed to read D:\Program Files\gitblit-1.9.2\data\users.conf org.eclipse.jgit.errors.ConfigInvalidException: Cannot read file D:\Program Files\gitblit-1.9.2\data\users.conf at org.eclipse.jgit.storage.file.FileBasedConfig.load(FileBasedConfig.java:194) at com.gitblit.ConfigUserService.read(ConfigUserService.java:885) at com.gitblit.ConfigUserService.getUserModel(ConfigUserService.java:190)
Hello, I tried to contact the developers of your product but did not get a response, so I decided to raise the vulnerability to you in the issue, hoping that you can fix it as soon as possible to avoid a wider impact of the vulnerability.
Principle of the vulnerability
Gitblit uses file storage to manage user information, passwords, account types, and permissions. When a user with low privileges modifies their information, if they use line breaks and space characters, they can create new users or assign higher higher privileges. The relevant code logic is in the
write
function ofcom.gitblit.ConfigUserService
. The reason for the problem is that gitblit does not do a checksum on the characters entered by the user, and malicious characters are printed directly in the file, causing gitblit to parse the file incorrectly when reading it. The location where users are saved is in data/users.conf. The default users.conf is as follows.The user name is admin, the password is admin, and the user's permissions are admin permissions, and the file will change as the user logs in. After logging in once the file reads
If there is a new user, a new user will be created below the user, and which will be accompanied by the user's emailAddress information, if the attacker in the modification of their own emailAddress, the emailAddress set to
xxx.@qq.com\n\trole = "#admin"\n[user "other"]
,you can modify the permissions of their own user to admin.Vulnerability recurrence
test
, passwordtest1
, and privilegesNone
, and the current users.conf is.After logging in, click on Profile->Preferences in order Turn on burpsuite's blocking feature, click Save, and block the request with burpsuite.
In burpsuite, make changes to the request.
Modify the value of emailAddress%3Atext to
111@qq.com\n\trole = "#admin"\n[user "other"]
after url encoding. The[user "other"]
at the end of the payload is to avoid the impact of the original role = "#none". The encoding can be done using burpsuite's Decode functionYou can see that the test user has become admin privileges. Refreshing the page, at this point the test user has full access to gitblit, and can see all Git repositories and manage all users and teams