There are various free for open source code repositories on the internet.
Most of the 'big' ones have web interfaces where you set your ssh key and repository ACL's. So an attacker could use a web-application bug to compromise a code repository.
I decided to have a brief look at the following large sites:
1. Github - a git code hosting service.
2. Bitbucket - a hg code hosting service.
3. Launchpad - the launchpad domain hosts some (bzr) code repositories and user's ppa.
4. gitorious.org - another git hosting service.
Let's attack 1. (github).
So github are pretty good at stopping and blocking xss. There was a recent public posting at http://news.ycombinator.com/item?id=2024141 about 1 xss in github but other than that there hasn't been any other (public) bugs (that I know of) on the github.com domain in say the last 100 days.
Here are two (these 2 are more recent than the ycombinator posting).
1. The vector used here was the branch name of one of my repositories - which shown un-escaped on my user's page when I pushed a new commit (to the branch).
2. The vector used in this case is the filename of a file in the repository.
Ok so moving on to bitbucket...
The bitbucket domain uses django and django has magical ponies...
This service had a fair number of trivial and obvious xss. All of them are now fixed!
Here here is an example of a persistent xss on the service.
(the vector here is the repository name not being escaped when forked from an existing one).
So ... Launchpad service(s) don't make use of a csrf token and the session cookie isn't httponly (these are old issues so please don't open new ones about them).
I decided to test if Launchpad had made any of the mistakes that github or bitbucket had made on their code / bazaar subdomain. I guess I got lucky ;P
The same xss vector that worked on github! (un-escaped filenames) worked in the revision view on http://bazaar.launchpad.net. This is CVE 2011-0728.
Screenshot - (the xss was on the http://bazaar.launchpad.net site).
Hmm... finally gitorious. See gitorious is a bit weird. Unlike the others your session cookie isn't a 'secure cookie'. I was informed that gitorious will be migrating to ssl completely soon...
1. The xss vector here is that a user's full name wasn't escaped :/
[0] https://bugs.launchpad.net/loggerhead/+bug/740142
Which window manager is that?
ReplyDeletethe wm is awesome
ReplyDelete