Page MenuHomePhabricator

SecurityTag
ActivePublic

Details

Description

Tasks related to enhancing the security of Phabricator.

Recent Activity

Oct 26 2022

epriestley closed T13683: Security Guidance: References to Files in Remarkup as Resolved.

There are some remaining non-security bugs with this that I'll follow up on in T13682. I believe the security side of this is now resolved.

Oct 26 2022, 8:03 PM · Guides, Files, Security
epriestley added a comment to T13683: Security Guidance: References to Files in Remarkup .

The details of this attack will be disclosed at a later date, once installs have had some sort of plausible chance to upgrade.

Oct 26 2022, 8:01 PM · Guides, Files, Security

May 27 2022

epriestley triaged T13683: Security Guidance: References to Files in Remarkup as Normal priority.
May 27 2022, 6:13 PM · Guides, Files, Security

May 17 2022

epriestley closed T13681: Ancient "feed.publish" API is (at best) long obsolete, and arguably exploitable as Resolved.
May 17 2022, 11:31 PM · Security, Feed
epriestley added a revision to T13681: Ancient "feed.publish" API is (at best) long obsolete, and arguably exploitable: D21826: Remove "feed.publish" API.
May 17 2022, 11:29 PM · Security, Feed
epriestley triaged T13681: Ancient "feed.publish" API is (at best) long obsolete, and arguably exploitable as Normal priority.
May 17 2022, 11:27 PM · Security, Feed

May 9 2022

epriestley closed T13679: Non-administrators can incorrectly edit default global settings as Resolved.

I believe D21811 covers this completely.

May 9 2022, 10:19 PM · Security
epriestley updated the task description for T13679: Non-administrators can incorrectly edit default global settings.
May 9 2022, 10:18 PM · Security
epriestley added a revision to T13679: Non-administrators can incorrectly edit default global settings: D21811: Correct overbroad automatic capability grant of global settings objects.
May 9 2022, 10:10 PM · Security
epriestley triaged T13679: Non-administrators can incorrectly edit default global settings as Normal priority.
May 9 2022, 10:08 PM · Security

Apr 29 2022

mormegil added a comment to T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation.

Just for visibility, this is I believe the change that broke Diffusion (which was fixed in rP52df4ff515b7), where the error message is something like

Apr 29 2022, 8:19 AM · Git, Security

Apr 20 2022

epriestley closed T13589: Git may interpret refnames as flags in some commands which accept both refs and paths as Resolved.

I believe these were all hunted down.

Apr 20 2022, 7:15 PM · Security, Git
epriestley added a revision to T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation: D21759: Fix an issue where "git" may be unable to read a temporary file in Diffusion.
Apr 20 2022, 4:31 PM · Git, Security

Apr 14 2022

epriestley closed T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation as Resolved.

I deployed this everywhere in the Phacility cluster yesterday and things have been quiet, so I'm assuming it worked until evidence arises to the contrary.

Apr 14 2022, 1:49 PM · Git, Security
epriestley updated the task description for T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation.
Apr 14 2022, 1:47 PM · Git, Security

Apr 13 2022

epriestley added a comment to T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation.

D21756 effectively makes all Git pathways call setSudoAsDaemon(true).

Apr 13 2022, 6:31 PM · Git, Security
epriestley added a comment to T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation.

Just for visibility, the error messages you'll see if you're affected by this issue look something like this:

Apr 13 2022, 6:06 PM · Git, Security
epriestley added a comment to T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation.

...maybe this is an actual bug in Phabricator where some pathways are just missing the "sudo" wrapper?

Apr 13 2022, 6:06 PM · Git, Security
epriestley triaged T13673: CVE-2022-24765 - Multi-user Git Privilege Escalation as Normal priority.
Apr 13 2022, 5:48 PM · Git, Security

Dec 2 2021

epriestley added a comment to T13037: An attacker gained staff access to Mailgun and was able to read customer API keys.

I'm satisfied that we aren't violating our commitment to our customers by continuing to use Mailgun as a service provider...

Dec 2 2021, 10:39 PM · Phacility, Security, Mail

Aug 19 2021

epriestley updated the task description for T13664: SSRF and Phabricator.
Aug 19 2021, 5:07 PM · Security, Guides
epriestley triaged T13664: SSRF and Phabricator as Low priority.
Aug 19 2021, 4:41 PM · Security, Guides

Apr 8 2021

epriestley added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

Yes. I closed down registration on this install (secure.phabricator.com) several years ago because the overwhelming majority of users who registered accounts here didn't read or follow the rules. Access to secure.phabricator.com is now invite-only.

Apr 8 2021, 12:53 PM · Security, Git
holmboe added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

Please use Discourse to report bugs.

Apr 8 2021, 9:47 AM · Security, Git

Jan 28 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21528: Correct Diffusion browse behavior when visiting a path URI with no trailing slash.
Jan 28 2021, 12:34 AM · Security, Git

Jan 25 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21519: Correct Git repository browse behavior for differences in "ls-tree" output.
Jan 25 2021, 5:10 PM · Security, Git

Jan 20 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21512: Correct a straggling CLI format string after ref selector changes.
Jan 20 2021, 11:04 PM · Security, Git
epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21511: Further correct and disambigutate ref selectors passed to Git on the CLI.
Jan 20 2021, 7:44 PM · Security, Git
epriestley updated the task description for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 20 2021, 6:47 PM · Security, Git

Jan 19 2021

epriestley added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

Please use Discourse to report bugs. See https://discourse.phabricator-community.org/t/repository-view-git-command-failed-error/4510/.

Jan 19 2021, 3:34 PM · Security, Git
Abbe added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

It works with Git 2.1.4 (shipped with Debian Wheezy), but not with Git 2.20.1 (shipped with Debian Buster), or Git 2.30.0 (latest version).

Jan 19 2021, 12:00 PM · Security, Git
Abbe added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

My apologies if this is not the right place to post about this, but seems like due to ea9cb0b625fb6922c45aecbfdebacc60788ed92d we now get following error message when visiting diffusion repository page, i.e. URL /diffusion/$REPOID/:

Jan 19 2021, 11:44 AM · Security, Git

Jan 15 2021

epriestley changed the visibility for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 15 2021, 6:45 PM · Security, Git
epriestley changed the visibility for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 15 2021, 6:44 PM · Security, Git

Jan 12 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21510: Disambiguate Git ref selectors in some Git command line invocations.
Jan 12 2021, 8:11 PM · Security, Git
epriestley updated the task description for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 12 2021, 8:10 PM · Security, Git
epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21509: Provide "gitsprintf(...)" and disambiguate Git ref selectors.
Jan 12 2021, 8:09 PM · Security, Git
epriestley triaged T13589: Git may interpret refnames as flags in some commands which accept both refs and paths as Normal priority.
Jan 12 2021, 6:26 PM · Security, Git

Aug 5 2020

epriestley updated the task description for T13241: Guide: SMS is Insecure.
Aug 5 2020, 7:22 PM · Security, Guides

Apr 30 2020

adrelanos added a watcher for Security: adrelanos.
Apr 30 2020, 7:59 PM

Jul 31 2019

epriestley closed T13350: Ancient "slowvote.info" API method bypasses policy checks as Resolved by committing rP2ec39afcd12b: Deprecate ancient "slowvote.info" API method.
Jul 31 2019, 6:28 PM · Slowvote, Security
epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20687: Deprecate ancient "slowvote.info" API method.
Jul 31 2019, 6:26 PM · Slowvote, Security
epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20686: Fix two minor display issues with the Conduit "*.search" API documentation.
Jul 31 2019, 6:22 PM · Slowvote, Security
epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20685: Add a "slowvote.poll.search" API method.
Jul 31 2019, 6:17 PM · Slowvote, Security

Jul 30 2019

epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20684: Fix policy behavior of "slowvote.info" API method.
Jul 30 2019, 6:53 PM · Slowvote, Security
epriestley triaged T13350: Ancient "slowvote.info" API method bypasses policy checks as Low priority.
Jul 30 2019, 6:46 PM · Slowvote, Security

Jul 15 2019

amckinley closed T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI, a subtask of T6755: Allow more granular configuration of `security.allow-outbound-http`, as Resolved.
Jul 15 2019, 6:53 PM · Security
amckinley closed T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI as Resolved by committing rP7852adb84bbe: Actually enforce auth.lock-config.
Jul 15 2019, 6:53 PM · Auth, Security

Jul 10 2019

amckinley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: D20645: Actually enforce auth.lock-config.
Jul 10 2019, 3:05 PM · Auth, Security

Apr 18 2019

epriestley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: Restricted Differential Revision.
Apr 18 2019, 2:05 PM · Auth, Security