Cross-Site Request Forgery (CSRF) in admin panel #5367
Comments
|
@math1as Is a CSRF token in query string vulnerable to redirect and theft? A header like referrer-policy may help, but some older browsers may not support this header. Should it be a separate token just for GET routes? What do you think? appreciate your wisdom. |
|
@beeonthego I think change the method from GET to POST is not a bad idea , POST method in gogs has csrf token to mitigate CSRF attack , since github and gitlab apply it to every operation ,too. |
|
@math1as Thank you. Gogs and Gitea have unconventional use of GET requests to perform actions. Changing them to POST will solve some problems, but it means breaking changes. By the way, are you a researcher from Tencent's Xuanwu Lab? |
|
@beeonthego yes, we recently focused on security vulnerabilities in open source software. and hope to help vendors fix these problems :) |
|
@math1as Thank you for the time researching and disclosing them responsibly. I read vulnerabilities reports, coordinate patches internally and submit PRs. Other developers may be doing the same. It takes time to review the PR and merge into a popular repo like this. Please keep up the good work, even if some fixes may take time. Cheers! |
* Explicitly disable Git credential helper If the user running Gitea has configured a credential helper, Git credentials might leak out of Gitea. There are two problems with credential helpers when combined with Gitea: 1. Credentials entered by a user when doing a migration or setting up a mirror will end up in the credential store. In the worst case, this is the plain text file ~/.git-credentials. 2. Credentials in the credential store will be used for migrations and mirrors by all users. For example, if user A sets up a mirror, their credentials will be stored. If user B later sets up a mirror from the same host and does not enter any credentials, user A's credentials will be used. This PR prepends -c credential.helper= to all Git commands to clear the list of helpers. This requires at least Git version 2.9, as previous versions will try to load an empty helper instead. For more details, see git/git@2432137 * Update git module
|
Was this issue ever addressed? please note that CVE-2018-15193 was assigned |
|
Changed method to POST: Thanks again for reporting :) |
log/gogs.log):Description
The operations in admin panel could be called with GET method which is vulnearble to CSRF
attacker can embed an image tag in issues , when administrator visit the issue , the operation is fired.
see the online demo (attention , if administrator visit it , your ssh key is wipped out)
https://try.gogs.io/hellotester2/12312312313/issues/6
Patch
change the call method of these operations from GET to POST
or enable csrf token for get method.
Discoverer
Wenxu Wu of Tencent's Xuanwu Lab
The text was updated successfully, but these errors were encountered: