mass assignment vulnerability in Redmine

Added by Mike Munro almost 3 years ago

Just saw this morning GitHub got hacked by a well-known rails vulnerability. We run a Redmine site for a client, wondering if I should be looking for the same vulnerability or if Redmine devs were smart enough to design around the issue? Related articles:

http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/
http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment
http://homakov.blogspot.com/2012/03/how-to.html

Replies (8)

RE: mass assignment vulnerability in Redmine - Added by Etienne Massip almost 3 years ago

Yes but most of the time, RM checks that the user trying to update has the right to do so.

RM code seems pretty clean to me.

RE: mass assignment vulnerability in Redmine - Added by John Yani almost 3 years ago

Yes but most of the time, RM checks that the user trying to update has the right to do so.

Well, most of the time is not always.

Let's examine simple example of what find_mass_assignment has found:

app/controllers/news_controller.rb
88 if request.put? and @news.update_attributes(params[:news])

Lets look at the model:

app/models/news.rb
class News < ActiveRecord::Base
belongs_to :project
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'

So we can modify project_id and author_id when updating the news item. This allows me to post news as any user (including admin and anonymous) and post news to other projects.

This might be not a serious attack, but this is just an example. Who knows, what other exceptions from "most of the time" might be.

RE: mass assignment vulnerability in Redmine - Added by Etienne Massip almost 3 years ago

In this specific case, there is a before_filter :authorize, :except => [:index] which will prevent you to update the news item if you don't have the right permission set.

What you say might be true if you have this permission for one project, then maybe you'll be able to change the author and even attach it to another project (not sure about the project because of another before_filter :find_project_from_association, :except => [:new, :create, :index]).

RE: mass assignment vulnerability in Redmine - Added by Etienne Massip almost 3 years ago

Indeed, you won't be able to set a different project, this is checked.

RE: mass assignment vulnerability in Redmine - Added by John Yani almost 3 years ago

Etienne Massip wrote:

What you say might be true if you have this permission for one project, then maybe you'll be able to change the author and even attach it to another project (not sure about the project because of another before_filter :find_project_from_association, :except => [:new, :create, :index]).

Yes, that's what I meant. This is only true if I have a news item I can update.

Created an issue, so we can track all found vulnerabilities:
http://www.redmine.org/issues/10390

RE: mass assignment vulnerability in Redmine - Added by John Yani almost 3 years ago

Etienne Massip wrote:

Indeed, you won't be able to set a different project, this is checked.

How did you check? I can reproduce it locally by adding the following line to the news update form

<input type="hidden" name="news[project_id]" value="ANY_PROJECT_ID_YOU_WANT_TO_POST_NEWS_TO">

RE: mass assignment vulnerability in Redmine - Added by Etienne Massip almost 3 years ago

John Yani wrote:

Etienne Massip wrote:

Indeed, you won't be able to set a different project, this is checked.

How did you check? I can reproduce it locally by adding the following line to the news update form

By reading the code but I fooled myself; you're right, it can be assigned to a different project.

(1-8/8)