-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Vulnerability in the reset password functionality in Gitorious
There is a vulnerability in the reset password functionality in Gitorious. The root cause for this vulnerability is the way MySQL performs automatic conversion between different data types. By carefully crafting an XML payload and passing that to Gitorious' reset password function, an attacker would be able to gain access to accounts belonging to users who have recently requested a password reset for their account. All users should upgrade their server immediately. * Releases We have just released Gitorious v2.4.7, which resolves this issue. * Workarounds If you're unable to upgrade to the latest released version of Gitorious, you should alter the file app/controllers/users_controller.rb like so: - - - @user = User.find_by_password_key(params[:token]) + @user = User.find_by_password_key(params[:token].to_s) * Credits Although this vulnerability was discovered by the Gitorious team, we started looking into this issue after reading this blog post: http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html A big thanks to joernchen of phenoelit for discovering this vulnerability. -- Marius Mathiesen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQEcBAEBAgAGBQJREhsfAAoJEE38ZdArT3hktrIH/3NDQ0duvRlh7h0MNMawdBDt fxLnRIX6CuoQSfFe0o4+Ek0OoocixO0GQJ18arVi2y9ALdl1cWN42d1gFsR602FU 5lvvxrlK41VrmA3xUSiyyjATNndNqLXSkKycI8uWhdRDxfvwm2k7UFN+8OLYmuoI pHbvbHoHPdkEHLH8pchFWeIbSseTyEXZoRLGJZXFL7r4Ywz6ybmwffECs+km77ip byPJv8aV5NI4U3SG4qNOiHK91z3WgHM/PpdgpqwTBgV5Lc+VMXZbsQLwKveV7J4X I3cv59yjYm/2IPmRuTND5TSasTETAJcveVrPDcDu3O3mlbuewIaDC1WXQJtWQYw= =nFkR -----END PGP SIGNATURE----- -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.