[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Salsa GitHub integration disabled


Today we where privately informed about a miss-configured OAuth callback
URL in our GitHub application.  We only allow it's use for repository
import, so it is not widely uses.  This miss-configuration allowed a
covert redirect vulnerability[1] and possible account takeover of any
account using the integration.  We quickly changed that setting to a
better suited value.

During the discussion we where informed that GitHub overall does pretty
loose checking of the callback or redirect URL.  They accept all
sub-resources and, more problematic, all sub-domains.[2]  If you
configure the URL to https://example.com/users, it will happily accept:
- https://example.com/users/bla
- https://bla.example.com/users

We host services on sub-domains of salsa.debian.org.  I was not able to
verify quickly that none of those services could help in this attack.
So I decided to disable the integration for now.

Sorry about any inconvenience.


[1]: https://oauth.net/advisories/2014-1-covert-redirect/
[2]: https://hackerone.com/reports/292825

Attachment: signature.asc
Description: PGP signature

Reply to: