Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gitea remote command execution with default installation #5140

Closed
2 tasks
5alt opened this issue Oct 22, 2018 · 5 comments · Fixed by #5177
Closed
2 tasks

gitea remote command execution with default installation #5140

5alt opened this issue Oct 22, 2018 · 5 comments · Fixed by #5177
Milestone

Comments

@5alt
Copy link

5alt commented Oct 22, 2018

  • Gitea version (or commit ref): current (9458880)

  • Can you reproduce the bug at https://try.gitea.io:

    • Yes (provide example URL)
    • [ x] No
    • Not relevant

Description

Hi, I found a issue just like gogs/gogs#5469.
With gitea's default installation, I can authenticate as arbitrary account. But due to some server configuration, I can't reproduce in https://try.gitea.io .

As this is a very severe issue, I won't post details here. Can you give me your email address and I send the details to you?

@techknowlogick
Copy link
Member

@5alt thanks for report, security@gitea.io is the email address.

@bugreport0
Copy link
Contributor

bugreport0 commented Oct 23, 2018

If there's an app.ini / external way to mitigate this issue before an official patch is out, it might be worth sharing early so we can harden our installation(s). I don't want to interfere with any project security policy, but eventually the patch/commit will be public anyway.

@techknowlogick
Copy link
Member

The remote execution could be mitigated by setting DISABLE_GIT_HOOKS to true, however the account takeover is still a significant issue.

@bugreport0
Copy link
Contributor

@techknowlogick thanks! Account takeover is significant, but being able to prevent remote code execution right now is a huge deal.

@5alt
Copy link
Author

5alt commented Oct 26, 2018

gogs/gogs#5469 (comment)

@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

Successfully merging a pull request may close this issue.

4 participants