Since Fedora moved from Pagure to Forgejo, I finally had an incentive to take a good look at Forgejo's security posture. The results aren't pretty to be honest: SSRF in a lot of places, no CSP/Truste-Types, a bit of ghetto templating in javascript, cryptographic malpractices, overlooks in the authentication mechanisms (OAuth2, OTP, sessions/access handling, post-compromission recovery, …), a bunch of low-hanging DoS, information leak all over the place, various TOCTOU, … All in all, it took me one evening after work to find a good amount of vulnerabilities (adding to the one I got from looking at gitea at some point in the past), and chain them to obtain a full-blown RCE, secrets leaks, persistent account access, OAuth2 privesc, … Fortunately (or unfortunately depending who you're asking), the exploit relies on open registration, and on a configuration option set to a non-default value (which is the case on some instances I've looked at, so nothing exotic). This means that the selling…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.