Cookie CSRF #6953
Comments
|
Hey! It doesn't seem like I've received the email 🤔 could you resend? |
|
I sent them to security@gogs.io ... just resent them. |
|
Thanks, got it now! For some reason (maybe due to the nature of the content 😂 ) it's in my spam folder and my email client doesn't show it, I had to go to the webmail from my provider to pull it out to the inbox. |
|
Good to hear. My patch works swell in my case. |
|
Could you confirm if you have received my reply? 🤦♂️ my email client kept telling me it can't send. In case it does not get sent: I think the the fundamentals of the report is identical to https://www.huntr.dev/bounties/6f41ee81-038d-4acf-b101-27c698161a3d/, which IMO is nice to fix but no practical impact. Though if you already have a patch, we can see what we can do :) |
|
I did not receive your email, but yes that is exactly the issue (sorry I missed it when creating this ticket.) It is 100% practical because PCI requirements cannot permit injected script into a webpage. If a malicious actor can inject script into a page in the context of a logged-in user, they can own the repo (in a nutshell.) My patch works and is simple to implement. From our PCI scanner, Gogs has a "Cross-site Scripting (XSS) vulnerability" XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser. |
|
No worries on missing the huntr.dev report! Please also read my comments on the above huntr.dev link, for why I think it is not practical to actually archive a realistic attack for what's been reported here. I'm not saying XSS isn't a thing. |
|
Yep, I read them. I will not construct a POC but knowing your application returns unsanitized user-input (even if it is a cookie header) which is an immediate PCI failure, we have patched our install. Again, the patch is simple and tiny. If you object to it, that is your prerogative. |
|
I previously commented:
Just to rephrase the same thing, I definitely would not object to fix it and pull request is welcome! |
|
I emailed the diff, would you like an official PR? I can certainly do that if you like. |
|
It would be ideal if you could propose the PR, I don't want to take the credit for the diff. I'd also want to go through a proper code review 😁 |
|
The 0.12.8 has been released that includes the patch of the reported issue. The security Advisory has been published at GHSA-pj96-4jhv-v792. |
Gogs version
0.13.0+dev
Git version
Operating system
Ubuntu 18.04.6
Database
MySQL 5.7
Describe the bug
Security issue with malformed requests, submitted via email to security@gogs.io on May 17, 2022.
To reproduce
See email (will confirm once accepted.)
Expected behavior
See email (will confirm once accepted.)
Additional context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: