Improper Authorization in gogs/gogs
Reported on
Mar 6th 2022
Description
When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.
Proof of Concept
You can expire an account with chage -E0 <username> and still login.
Impact
Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts whom have been privilege revoked are still able to login.
Occurrences
pam.go L29
Here's a patch since I don't want to make this public in a repository.
--- a/internal/auth/pam/pam.go
+++ b/internal/auth/pam/pam.go
@@ -26,5 +26,9 @@ func (c *Config) doAuth(login, password string) error {
return err
}
- return t.Authenticate(0)
+ if err = t.Authenticate(0); err != nil {
+ return err
+ }
+
+ return t.AcctMgmt(0)
}
References
@admin The gogs team is still working on the other issue they're frozen for. What is the freeze/unfreeze process? Can't find it in the FAQs and sure would like bounty if possible.
A similar bug has been reported to Gitea, we should coordinate publishing them after both repositories have been fixed.
Gogs have been contacted according to their security.md here: https://github.com/gogs/gogs/issues/6810
@ysf - the prize pot is frozen whilst the entire pot is being consumed by another pending report. Once the report has been reviewed that consumes the entire prize pot, 30 days will elapse before the prize pot refills again.
Created this issue here to help address this better! Feel free to leave your thoughts on the issue too.