Arbitrary file deletion in Gitea in go-gitea/gitea

Valid

Reported on

Mar 12th 2022

Description

When user delete the LFS data in Gitea, the oid parameter is not been validated. The attacker can make an oid whose prefix is .... to traverse directory and delete any files on the server.

Proof of Concept

Create a repository on Gitea. (e.g. foo/bar)

Send a POST request with your Gitea cookies and set CSRF token in request body.

POST /foo/bar/settings/lfs/delete/....%2fcustom%2fconf%2fapp.ini

The Gitea configuration custom/conf/app.ini has been deleted.

Impact

This vulnerability is capable of deleting the files on the server, which allows the attacker to make the service unavailable. With deleting the Gitea configuration file, the attacker can reinstall the entire program after restarting.

We are processing your report and will contact the go-gitea/gitea team within 24 hours. 2 years ago

We have contacted a member of the go-gitea/gitea team and are waiting to hear back 2 years ago

We have sent a follow up to the go-gitea/gitea team. We will try again in 7 days. 2 years ago

A go-gitea/gitea maintainer

commented 2 years ago

Maintainer

Thanks for this report, we've resolved this in https://github.com/go-gitea/gitea/pull/19072

We are writing the blog post right and and will be crediting your username (and huntr.dev too), please let us know if you'd prefer a different credit other than your username.

E99p1ant

commented 2 years ago

Researcher

Thanks. Could you please use E99p1ant as the credit name? And here is my GitHub profile: https://github.com/wuhan005

A go-gitea/gitea maintainer has acknowledged this report 2 years ago

zeripath validated this vulnerability 2 years ago

E99p1ant has been awarded the disclosure bounty

The fix bounty is now up for grabs

zeripath marked this as fixed in 1.16.4 with commit 49db87 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

E99p1ant

commented 2 years ago

Researcher

Hi, I noticed that the blog post has been released. It seems like my username is missing in the post. 😂

A go-gitea/gitea maintainer

commented 2 years ago

Maintainer

https://gitea.com/gitea/blog/pulls/188 will fix that.

to join this conversation

We are processing your report and will contact the go-gitea/gitea team within 24 hours. 2 years ago

We have contacted a member of the go-gitea/gitea team and are waiting to hear back 2 years ago

We have sent a follow up to the go-gitea/gitea team. We will try again in 7 days. 2 years ago

A go-gitea/gitea maintainer

commented 2 years ago

Maintainer

Thanks for this report, we've resolved this in https://github.com/go-gitea/gitea/pull/19072

We are writing the blog post right and and will be crediting your username (and huntr.dev too), please let us know if you'd prefer a different credit other than your username.

E99p1ant

commented 2 years ago

Researcher

Thanks. Could you please use E99p1ant as the credit name? And here is my GitHub profile: https://github.com/wuhan005

A go-gitea/gitea maintainer has acknowledged this report 2 years ago

zeripath validated this vulnerability 2 years ago

E99p1ant has been awarded the disclosure bounty

The fix bounty is now up for grabs

zeripath marked this as fixed in 1.16.4 with commit 49db87 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

E99p1ant

commented 2 years ago

Researcher

Hi, I noticed that the blog post has been released. It seems like my username is missing in the post. 😂

A go-gitea/gitea maintainer

commented 2 years ago

Maintainer

https://gitea.com/gitea/blog/pulls/188 will fix that.

to join this conversation