Project

General

Profile

Admin account hacked

Added by Helmut Auer over 12 years ago

Hello,
A damn bloody idiot(sorry for that:) found a security hole in redmine and registered himself as admin. He created a new user account, without validation by me (but the settings do not allow this).
Then I restored an old database, updated to latest redmine svn, but some minutes later the same happened again :(
Are there any hints how to avoid this ?


Replies (6)

RE: Admin account hacked - Added by Etienne Massip over 12 years ago

What's your redmine version, can you find something in log about this account creation?

RE: Admin account hacked - Added by Jan from Planio www.plan.io over 12 years ago

Do you have any plugins installed? If so, you may want to remove them temporarily. Current Redmine trunk is not known to have any unfixed security vulnerabilities, but any plugins may have.

I'd be interested in learning more about the attack that happened and see if there's something we need to address in Redmine. If you like, you can contact me at jan (at) plan (dot) io and we can have a look at it together.

RE: Admin account hacked - Added by Mischa The Evil over 12 years ago

Jan from Planio www.plan.io wrote:

[...] Current Redmine trunk is not known to have any unfixed security vulnerabilities, [...]

Off-topic but maybe important to notice: #9245. That should be included in a 1.2.2 release rather sooner than later. Only problem is that only Jean-Philippe can do releases AFAIK.

RE: Admin account hacked - Added by Helmut Auer over 12 years ago

Hello All,

As far as I can see now, the hacker was able to get my password from my forum. I don't know how, but there it was of no use for him, because you need a second PW as admin there.
But unfortunately it was the same PW as my redmine admin account has.
So its no redmine vulnerability - good to know :)
Anyway is there an easy way to make the admin access more safe, by adding a second PW, an IP range or something like that ?

Bye
Helmut

RE: Admin account hacked - Added by Jan from Planio www.plan.io over 12 years ago

Helmut has given me access to his Redmine database and I have checked for any signs of XSS exploits in wiki pages, issue comments, or other areas and could not find anything. I've also checked the logs of the server in question. It seems as if the attacker entered indeed via a password he was able to extract elsewhere. So seemingly, this was not a Redmine-related attack/vulnerability.

RE: Admin account hacked - Added by Mischa The Evil over 12 years ago

Jan from Planio www.plan.io wrote:

Helmut has given me access to his Redmine database and I have checked for any signs of XSS exploits in wiki pages, issue comments, or other areas and could not find anything. I've also checked the logs of the server in question. It seems as if the attacker entered indeed via a password he was able to extract elsewhere. So seemingly, this was not a Redmine-related attack/vulnerability.

Jan,

Thanks for your support on this matter...

Helmut Auer wrote:

Anyway is there an easy way to make the admin access more safe [...]

Easiest things to do which are "supported" by Redmine natively include:

Helmut Auer wrote:

[...] by adding a second PW, an IP range or something like that ?

AFAIK both options aren't available at the level Redmine is operating on currently.

    (1-6/6)