tags: gitea git golang exploitoftheday

Gitea several Vulnerabilities released

Gitea vulnerabilities

This exploit of the day is bundle of several ones all that have been patched in the latest release of Gitea. Gitea is a web interface for git.
Both Gitea and Gogs - Which is also an open source git web interface intended for private use gained a lot of attraction when Microsoft bought up Github and the most hardcore Voluntaries programmers rushed to other servers in a pure “Open Source shall remain open” spirit!

Gitea logo

Gitea and Gogs are both also lightweight alternatives to Gitlab both written in the new programming language golang.

Patch:

We recommend that you update to the latest version of Gitea, all vulnerabilities
mentioned in this blog post has been patched by
developers in various pull requests on github.

Most interesting vulnerabilities

Remote code execution with mirror repository URL settings

This vulnerability allows an malicious third party to put a malicious remote git url which will lead to a remote code execution due to bad escaping of the user defined input. Better URL validation and escaping was added in pull requests #6593 and #6594


-	cfg.Section("remote \"origin\"").Key("url").SetValue(addr)
-	return cfg.SaveToIndent(configPath, "\t")
+	_, err = git.NewCommand("remote", "add", "origin", addr).RunInDir(repoPath)
+	return err
}

Release note v1.8.0

Two factor authentication bypass throw the API

Due to a poorly written API token authentication handling in the code base a malicious third party is able to send a fake OTP(one time password) API token and be granted access to the Gitea server.

Luckily this was solved in pull request #6676 with a patch being written to the modules/auth/auth.go and modules/context/api.go module

+			} else {
+				ctx.Data["IsApiToken"] = true
			}

-			ctx.Data["IsApiToken"] = true




// CheckForOTP validateds OTP
func (ctx *APIContext) CheckForOTP() {
	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
	twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
	if err != nil {
		if models.IsErrTwoFactorNotEnrolled(err) {
			return // No 2FA enrollment for this user
		}
		ctx.Context.Error(500)
		return
	}
	ok, err := twofa.ValidateTOTP(otpHeader)
	if err != nil {
		ctx.Context.Error(500)
		return
	}
	if !ok {
		ctx.Context.Error(401)
		return
	}
}

Release note v1.8.0

Leaking sensitive information

Gitea was vulnerable to a Timing Attack which would allow a malicious third party to guess the correct Token based on what time it takes for the application to load each request.
The following patch was committed in pull request #7364

-	if header != "Bearer "+setting.Metrics.Token {
+	got := []byte(header)
+	want := []byte("Bearer " + setting.Metrics.Token)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
		ctx.Error(401)
		return
	}

Release note v1.9.0

Keep up to date and subscribe to our RSS feed!

External links:
Microsoft buys github for 7.5 billion
Gogs
Gitea on github
Golang
Gitea 1.9

Stay up to date with Vulnerability Management
and build cool things with our API