Date: Sun, 04 Mar 2012 22:39:54 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Ruby on Rails github compromise https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation Public Key Security Vulnerability and Mitigation mojombo March 4, 2012 At 8:49am Pacific Time this morning a GitHub user exploited a security vulnerability in the public key update form in order to add his public key to the rails organization. He was then able to push a new file to the project as a demonstration of this vulnerability. As soon as we detected the attack we expunged the unauthorized key and suspended the user. At 9:53am Pacific Time this morning we rolled out a fix to the vulnerability and started an investigation into the impact of the attack. Database and log analysis have shown that the user compromised three accounts (rails and two others that appear to have been proofs of concept). All affected parties have been or will be contacted once we are certain of the findings. The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability. In parallel to the attack investigation we initiated a full audit of the GitHub codebase to ensure that no other instances of this vulnerability were present. This audit is still ongoing, and I am going to personally ensure that we have a strategy going forward to prevent this type of vulnerability from happening again. I sincerely apologize for allowing this to happen. Security is our priority and I will be arranging additional external security audits above and beyond our normal schedule to further test our security measures and give you peace of mind. ==== Mass assignment in Rails applications: http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/ Homakov (exploited this issue on Github: "wow how come I commit in master? O_o " https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57 Proposal for Improving Mass Assignment: https://gist.github.com/1974187 Responsible Disclosure Policy: https://github.com/blog/1069-responsible-disclosure-policy Whitelist all attribute assignment by default.: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38 What's New in Edge: Scoped Mass Assignment in Rails 3.1: http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1 I think this potentially warrants a CVE, thoughts/comments? -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.