Fossil SCM
RCE by exploting unchecked content of the ticket-table setting
56b82836ffba995…
· opened 5 years, 7 months ago
- Type
- Code_Defect
- Priority
- Immediate
- Severity
- Critical
- Resolution
- Fixed
- Subsystem
- —
- Created
- Aug. 17, 2020 8:36 a.m.
On a clone (or on a "fossil config pull ticket") the SQL text in the ticket-table setting is run on the client, without restriction. A malicious server admin could put SQL in that setting that changes the value of other settings such as "ssh-command" and/or "last-sync-url" which could then cause arbitrary code to run the next time the victim did a "fossil pull".
Problem discovered by Max Justicz.
Comments (2)
On a clone (or on a "fossil config pull ticket") the SQL text in the ticket-table setting is run on the client, without restriction. A malicious server admin could put SQL in that setting that changes the value of other settings such as "ssh-command" and/or "last-sync-url" which could then cause arbitrary code to run the next time the victim did a "fossil pull".
Problem discovered by Max Justicz.
Add an authorizer to the ticket-table script processing.