security flaw with smart http

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* security flaw with smart http
@ 2012-06-22 10:12 Ivan Kanis
  2012-06-22 17:54 ` Shawn Pearce
  0 siblings, 1 reply; 7+ messages in thread
From: Ivan Kanis @ 2012-06-22 10:12 UTC (permalink / raw)
  To: Git Mailing List

Hi,

I think we found a security flaw with git http smart backend. We are
running git version 1.0.7.4 on our server. Adding random words after the
password and the authentication still succeeds. 

It's very easy to reproduce, say the username is ivan and the password
is the word secret:

% git pull
Username: ivan
Password: secretfoo
Already up to date.

Pull succeeds although the password is wrong! Can someone try to
reproduce with a more up to date git server?
-- 
Ivan Kanis
http://ivan.kanis.fr

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: security flaw with smart http
  2012-06-22 10:12 security flaw with smart http Ivan Kanis
@ 2012-06-22 17:54 ` Shawn Pearce
  2012-06-22 19:34   ` Junio C Hamano
  0 siblings, 1 reply; 7+ messages in thread
From: Shawn Pearce @ 2012-06-22 17:54 UTC (permalink / raw)
  To: Ivan Kanis; +Cc: Git Mailing List

On Fri, Jun 22, 2012 at 3:12 AM, Ivan Kanis <ivan.kanis@googlemail.com> wrote:
> I think we found a security flaw with git http smart backend. We are
> running git version 1.0.7.4 on our server. Adding random words after the
> password and the authentication still succeeds.

git http-backend does not handle authentication or authorization. This
is handled in your web server. You should consult your web server's
documentation, and maybe its configuration files.

> It's very easy to reproduce, say the username is ivan and the password
> is the word secret:
>
> % git pull
> Username: ivan
> Password: secretfoo
> Already up to date.
>
> Pull succeeds although the password is wrong! Can someone try to
> reproduce with a more up to date git server?

Git is freely available under the GPLv2 license. I believe it is
possible for you to attempt experiments yourself with more up-to-date
versions if you wish.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: security flaw with smart http
  2012-06-22 17:54 ` Shawn Pearce
@ 2012-06-22 19:34   ` Junio C Hamano
  2012-06-25 11:24     ` Philippe Vaucher
  2012-06-28  7:35     ` Ivan Kanis
  0 siblings, 2 replies; 7+ messages in thread
From: Junio C Hamano @ 2012-06-22 19:34 UTC (permalink / raw)
  To: Shawn Pearce; +Cc: Ivan Kanis, Git Mailing List

Shawn Pearce <spearce@spearce.org> writes:

> On Fri, Jun 22, 2012 at 3:12 AM, Ivan Kanis <ivan.kanis@googlemail.com> wrote:
>> I think we found a security flaw with git http smart backend. We are
>> running git version 1.0.7.4 on our server. Adding random words after the
>> password and the authentication still succeeds.
>
> git http-backend does not handle authentication or authorization. This
> is handled in your web server. You should consult your web server's
> documentation, and maybe its configuration files.

Very good advice.

> Git is freely available under the GPLv2 license. I believe it is
> possible for you to attempt experiments yourself with more up-to-date
> versions if you wish.

And the result is very unlikely to change, if the only change
between the earlier experiment and the next one is the vintage of
Git used, as the part that makes authentication decision is Ivan's
webserver and its configuration, which is not going to change
between the two experiments.

I do not recall ever releasing 1.0.7.4, nor having smart http
support before v1.6.6, by the way.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: security flaw with smart http
  2012-06-22 19:34   ` Junio C Hamano
@ 2012-06-25 11:24     ` Philippe Vaucher
  2012-06-25 12:59       ` Ivan Kanis
  2012-06-28  7:35     ` Ivan Kanis
  1 sibling, 1 reply; 7+ messages in thread
From: Philippe Vaucher @ 2012-06-25 11:24 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Shawn Pearce, Ivan Kanis, Git Mailing List

> I do not recall ever releasing 1.0.7.4, nor having smart http
> support before v1.6.6, by the way.

It sounds very likely that he meant 1.7.4 no?

Philippe

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: security flaw with smart http
  2012-06-25 11:24     ` Philippe Vaucher
@ 2012-06-25 12:59       ` Ivan Kanis
  2012-06-25 13:10         ` Erik Faye-Lund
  0 siblings, 1 reply; 7+ messages in thread
From: Ivan Kanis @ 2012-06-25 12:59 UTC (permalink / raw)
  To: Philippe Vaucher; +Cc: Junio C Hamano, Shawn Pearce, Git Mailing List

Philippe Vaucher <philippe.vaucher@gmail.com> a écrit

>> I do not recall ever releasing 1.0.7.4, nor having smart http
>> support before v1.6.6, by the way.
>
> It sounds very likely that he meant 1.7.4 no?

It's compiled from a 1.7.0.4 tar ball, amusingly git --version says 1.0.7.4
-- 
Ivan Kanis
http://ivan.kanis.fr

Par prêchements, le peuple on peut séduire ;
Par marchander, tromper on le peut bien ;
Par plaiderie on peut manger son bien.
    -- Clément Marot

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: security flaw with smart http
  2012-06-25 12:59       ` Ivan Kanis
@ 2012-06-25 13:10         ` Erik Faye-Lund
  0 siblings, 0 replies; 7+ messages in thread
From: Erik Faye-Lund @ 2012-06-25 13:10 UTC (permalink / raw)
  To: Ivan Kanis
  Cc: Philippe Vaucher, Junio C Hamano, Shawn Pearce, Git Mailing List

On Mon, Jun 25, 2012 at 2:59 PM, Ivan Kanis <ivan.kanis@googlemail.com> wrote:
> Philippe Vaucher <philippe.vaucher@gmail.com> a écrit
>
>>> I do not recall ever releasing 1.0.7.4, nor having smart http
>>> support before v1.6.6, by the way.
>>
>> It sounds very likely that he meant 1.7.4 no?
>
> It's compiled from a 1.7.0.4 tar ball, amusingly git --version says 1.0.7.4

Could it be that there's a typo in the "version"-file of that release?
AFAICT, the tag at github looks correct (no "version"-file, but what's
in GIT-VERSION-GEN looks correct). Unfortunately, the current official
release-archive at google code
(http://code.google.com/p/git-core/downloads/list) doesn't contain
that particular release, nor does the old official release-archive
(http://www.kernel.org/pub/software/scm/git/), so it's difficult to
tell.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: security flaw with smart http
  2012-06-22 19:34   ` Junio C Hamano
  2012-06-25 11:24     ` Philippe Vaucher
@ 2012-06-28  7:35     ` Ivan Kanis
  1 sibling, 0 replies; 7+ messages in thread
From: Ivan Kanis @ 2012-06-28  7:35 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Shawn Pearce, Git Mailing List

Junio C Hamano <gitster@pobox.com> a écrit

> Shawn Pearce <spearce@spearce.org> writes:
>
>> On Fri, Jun 22, 2012 at 3:12 AM, Ivan Kanis <ivan.kanis@googlemail.com> wrote:
>>> I think we found a security flaw with git http smart backend. We are
>>> running git version 1.0.7.4 on our server. Adding random words after the
>>> password and the authentication still succeeds.
>>
>> git http-backend does not handle authentication or authorization. This
>> is handled in your web server. You should consult your web server's
>> documentation, and maybe its configuration files.
>
> Very good advice.

In case someone is reading this thread I confirm the problem comes from
Apache.
-- 
Ivan Kanis, Release Manager, Vision Objects,

Le mal est un mulet : il est opiniâtre et stérile.
    -- Victor Hugo

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2012-06-28  7:35 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-06-22 10:12 security flaw with smart http Ivan Kanis
2012-06-22 17:54 ` Shawn Pearce
2012-06-22 19:34   ` Junio C Hamano
2012-06-25 11:24     ` Philippe Vaucher
2012-06-25 12:59       ` Ivan Kanis
2012-06-25 13:10         ` Erik Faye-Lund
2012-06-28  7:35     ` Ivan Kanis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).