Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4F5451AA.3070308@redhat.com>
Date: Sun, 04 Mar 2012 22:39:54 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Ruby on Rails github compromise

https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation

    Public Key Security Vulnerability and Mitigation
    mojombo March 4, 2012

    At 8:49am Pacific Time this morning a GitHub user exploited a
security vulnerability in the public key update form in order to add his
public key to the rails organization. He was then able to push a new
file to the project as a demonstration of this vulnerability.

    As soon as we detected the attack we expunged the unauthorized key
and suspended the user.

    At 9:53am Pacific Time this morning we rolled out a fix to the
vulnerability and started an investigation into the impact of the
attack. Database and log analysis have shown that the user compromised
three accounts (rails and two others that appear to have been proofs of
concept). All affected parties have been or will be contacted once we
are certain of the findings.

    The root cause of the vulnerability was a failure to properly check
incoming form parameters, a problem known as the mass-assignment
vulnerability. In parallel to the attack investigation we initiated a
full audit of the GitHub codebase to ensure that no other instances of
this vulnerability were present. This audit is still ongoing, and I am
going to personally ensure that we have a strategy going forward to
prevent this type of vulnerability from happening again.

    I sincerely apologize for allowing this to happen. Security is our
priority and I will be arranging additional external security audits
above and beyond our normal schedule to further test our security
measures and give you peace of mind.

====

Mass assignment in Rails applications:
http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/

Homakov (exploited this issue on Github:
"wow how come I commit in master? O_o "
https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

Proposal for Improving Mass Assignment:
https://gist.github.com/1974187

Responsible Disclosure Policy:
https://github.com/blog/1069-responsible-disclosure-policy

Whitelist all attribute assignment by default.:
https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38

What's New in Edge: Scoped Mass Assignment in Rails 3.1:
http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

I think this potentially warrants a CVE, thoughts/comments?


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.