Remote Code Execution

[snyff]

The vulnerability impacting Gogs also impacts gitea
gogs/gogs#5558

• Gitea version (or commit ref): 8dc09ed

• Can you reproduce the bug at https://try.gitea.io:

  • Yes

Description

By using upload file with a malicious filename, an attacker is able to become any users and then gain code execution using hooks.

Gogs already worked on the issue in their develop branch

Screenshots

Me logged in as user_id 1

Is this responsible disclosure?

[snyff]

@JHabdas, I didn't know that Gitea and Gogs were sharing the same code base until I learnt a bit more about the projects and the schism. Once I learnt about it, I thought I should give you guys a heads-up.

[lunny]

@snyff could you send some detail to security at gitea.io ?

[snyff]

sent!

[techknowlogick]

@snyff thanks for the report. You will be thanked officially in the release blog post, and we appreciate your report 😄

[snyff]

@techknowlogick: thanks for that! Can you thank "@PentesterLab" or "Louis from PentesterLab (pentesterlab.com)" for example instead of snyff.

[techknowlogick]

@snyff sounds good. The blog post PR is here: https://github.com/go-gitea/blog/pull/82/files#diff-e0f59ce8bb7e55f0518fc0ecafac06d7 is that suitable, or would you prefer something else.

[snyff]

That's perfect!