SecurityTag
ActivePublic

Properties

Description

Tasks related to enhancing the security of Phabricator.

Recent Activity

Sun, Mar 26

epriestley reopened T8918: Header shows number of notifications and various other controls on the 2FA auth screen as "Open".

(This was incorrectly closed by the text "doesn't actually fix T8918" in rP08de131da525.)

Sun, Mar 26, 8:15 PM · Security, Auth

Mon, Mar 20

epriestley closed T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions as "Resolved".

We don't plan to take any other upstream actions here, but let us know if anyone has further questions.

Mon, Mar 20, 2:16 PM · Differential, Files, Security

Thu, Mar 16

epriestley added a comment to T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions.

(You could also pipe the list into bin/remove destroy --force, equivalently.)

Thu, Mar 16, 8:22 PM · Differential, Files, Security
epriestley added a comment to T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions.

You can re-run the migration explicitly with:

Thu, Mar 16, 8:22 PM · Differential, Files, Security
cspeckmim added a comment to T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions.

We ran the script provided above to get an audit of at-risk files. Afterwards we upgraded our instance and the upgrade succeeded however its attempts to delete the affected files failed. The failure is due to using a local file store which is accessible to our web service account but not the phabricator phd services account (T4752). After correcting the file permissions so both accounts have appropriate access, running upgrade again doesn't seem to remove the files.

Thu, Mar 16, 8:11 PM · Differential, Files, Security
epriestley added a comment to T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions.

It is likely that the vulnerable code predates significant portions of the Files and permissions systems, and was just overlooked as these other systems upgraded and gained more powerful policy and permissions capabilities.

Thu, Mar 16, 5:35 PM · Differential, Files, Security
epriestley added a comment to T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions.

The fix is now available on master (rP7626ec0c) and stable (rP6f879559). I've upgraded this install without incident. Per above, note that upgrading destroys evidence, so you should plan any audit or response actions you want to take before upgrading.

Thu, Mar 16, 5:17 PM · Differential, Files, Security
epriestley added a revision to T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions: D17504: Correct an issue where "View Raw File" in Differential generated a file with overbroad permissions.
Thu, Mar 16, 4:55 PM · Differential, Files, Security
epriestley created T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions.
Thu, Mar 16, 4:51 PM · Differential, Files, Security
epriestley added a parent task for T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045]: T12404: Implement a first-party SMTP client.
Thu, Mar 16, 1:06 AM · Mail, Security

Fri, Mar 3

epriestley added a commit to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed"): rP8ce25838f541: Provide "bin/auth revoke" with a revoker for Conduit tokens.
Fri, Mar 3, 10:39 PM · Guides, Security
epriestley added a revision to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed"): D17458: Provide "bin/auth revoke" with a revoker for Conduit tokens.
Fri, Mar 3, 10:22 PM · Guides, Security

Thu, Mar 2

epriestley closed T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed") as "Resolved".

Closing this since there doesn't seem to be any thing left that's actionable for us.

Thu, Mar 2, 5:29 PM · Guides, Security

Feb 24 2017

allixsenos edited the description of T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").
Feb 24 2017, 2:41 PM · Guides, Security
epriestley added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

Broadly, there is nothing Phabricator could have done differently to anticipate or prevent this issue.

Feb 24 2017, 2:31 PM · Guides, Security
epriestley added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

We could also provide some kind of bin/auth burn-everything-to-the-ground to automate these steps, but I worry that it would almost never be tested (I think it's very difficult to test comprehensively in an automated way) or run, and there's a good chance it might be forgotten about when authentication changes occur.

Feb 24 2017, 2:24 PM · Guides, Security
epriestley edited the description of T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").
Feb 24 2017, 2:12 PM · Guides, Security
epriestley added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

Ah, you're right. It looks like request data may also have leaked. I'll edit my earlier posts to reflect that. Briefly, the change is: passwords and VCS passwords are potentially at risk.

Feb 24 2017, 2:12 PM · Guides, Security
allixsenos added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

Has cloudflare explicitly said that only responses were leaked, and never
requests? I recall "POST data" being explicitly called out as showing up in
the leaks, but I can't remember if this was in an official write up or
media coverage.

Feb 24 2017, 1:43 PM · Guides, Security
epriestley added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").
NOTE: If Aphlict is served from the same domain as Phabricator (e.g., just on a different port) with Cloudflare as an intermediary, none of the rest of this comment applies: browsers could have sent credentials with the request and Cloudflare could have cached them.
Feb 24 2017, 12:50 PM · Guides, Security
epriestley added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

To cycle passwords, you can do this:

Feb 24 2017, 12:43 PM · Guides, Security
allixsenos added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

Only our websocket host is behind CF proxies, so I invalidated all auth sessions by changing the security.hmac-key. I wanted to also invalidate all Conduit tokens just as a fire drill but couldn't found a method of doing this.

Feb 24 2017, 10:56 AM · Guides, Security
revi added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

If you have configured your entire install behind Cloudflare (we do not encourage this in the documentation), you are at greater risk, as anything served by Phabricator could have been leaked. If you believe you are affected and would like help rotating sessions and invalidating credentials, let us know.

Feb 24 2017, 6:03 AM · Guides, Security
epriestley added a comment to T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").

Although this problem is severe, the absolute size of the leak appears to be small (my task title is hyperbolic). From the Cloudflare disclosure:

Feb 24 2017, 12:21 AM · Guides, Security
epriestley edited the description of T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").
Feb 24 2017, 12:15 AM · Guides, Security
epriestley edited the description of T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").
Feb 24 2017, 12:15 AM · Guides, Security
epriestley created T12313: Cloudflare leaked all HTTPS traffic on the internet into public caches ("Cloudbleed").
Feb 24 2017, 12:11 AM · Guides, Security

Feb 14 2017

epriestley added a comment to T12178: Users can send messages to Conpherence rooms they do not have CAN_JOIN permission for.

(Or we should just remove CAN_JOIN -- is there any actual use case for read-only rooms? If there is, shouldn't users still be able to join those rooms in order to follow them, just not send messages?)

Feb 14 2017, 3:08 PM · Conpherence, Security
epriestley added a comment to T12178: Users can send messages to Conpherence rooms they do not have CAN_JOIN permission for.

A related issue is that CAN_EDIT does not imply CAN_JOIN, so users with CAN_EDIT but no CAN_JOIN can get a policy error while trying to join.

Feb 14 2017, 3:07 PM · Conpherence, Security

Feb 8 2017

epriestley commandeered D17323: Add more phone numbers to "Shields Up" action.

I'll make the other adjustments -- str_replace() is the right approach, but this vital production infrastructure could probably use some unit tests anyway.

Feb 8 2017, 5:18 PM · Abuse
remusvrm asked a question: Q561: Why tickets created using API Token don't appear in "Recent Activity" view?

We are using phabricator-sentry python package to create tickets in Phabricator from Sentry.
They get created, but they don't show up in the the "Recent Activity" view.
Are there any reasons way?

Feb 8 2017, 9:23 AM · Security
Blendify added a comment to D17323: Add more phone numbers to "Shields Up" action.

Yes, I just copied a pasted the diff. I was having an issue getting arc working for https://secure.phabricator.com/

Feb 8 2017, 2:19 AM · Abuse
cspeckmim added a comment to D17323: Add more phone numbers to "Shields Up" action.

Aha that makes sense. Thanks.

Feb 8 2017, 12:05 AM · Abuse
chad added a comment to D17323: Add more phone numbers to "Shields Up" action.

My guess is it was a cut & paste diff

Feb 8 2017, 12:04 AM · Abuse
cspeckmim added a comment to D17323: Add more phone numbers to "Shields Up" action.

Out of curiosity, why are there "Context not available." indicators here? Am I not supposed to see R25 Secure?

Feb 8 2017, 12:01 AM · Abuse

Feb 7 2017

Blendify updated the diff for D17323: Add more phone numbers to "Shields Up" action.

I changed some things you requested but I do not have enough knowledge of php to do the other part. Maybe use str_replace? Anyway... feel free to commandeer this and make the change

Feb 7 2017, 9:40 PM · Abuse
epriestley requested changes to D17323: Add more phone numbers to "Shields Up" action.

Let's really AMP THIS UP to the NEXT LEVEL 🚀

Feb 7 2017, 8:56 PM · Abuse
Blendify created D17323: Add more phone numbers to "Shields Up" action.
Feb 7 2017, 8:27 PM · Abuse

Feb 1 2017

chad added a comment to T12178: Users can send messages to Conpherence rooms they do not have CAN_JOIN permission for.

🤔

Feb 1 2017, 1:14 AM · Conpherence, Security
epriestley created T12178: Users can send messages to Conpherence rooms they do not have CAN_JOIN permission for.
Feb 1 2017, 1:10 AM · Conpherence, Security

Jan 5 2017

aubort added a watcher for Security: aubort.
Jan 5 2017, 8:42 AM

Jan 2 2017

Herald updated subscribers of T6994: Write a general "Security guidelines" document.
Jan 2 2017, 1:49 PM · Security
Herald updated subscribers of T4340: Implement Content-Security-Policy and Strict-Transport-Security headers.
Jan 2 2017, 1:49 PM · Phacility, Security

Jan 1 2017

DemiMarie added a comment to T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045].

libcurl supports SMTP (see https://curl.haxx.se/libcurl/c/smtp-mail.html) and can be used instead, provided that the relevant functions are exposed to PHP. This avoids needing to shell out to an external executable.

Jan 1 2017, 7:50 PM · Mail, Security

Dec 28 2016

epriestley added a comment to T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045].

From a cursory read of CVE-2016-10045, it seems like PHP may be written in such a way that mail() can not be invoked safely. Silly PHP!

Dec 28 2016, 8:11 AM · Mail, Security
eadler renamed T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045] from "PHPMailer RCE [CVE-2016-10033]" to "PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045]".
Dec 28 2016, 7:24 AM · Mail, Security
eadler added a comment to T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045].

updated advisory; https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
I don't think this changes the plan you suggest, just linking for completeness.

Dec 28 2016, 7:16 AM · Mail, Security

Dec 26 2016

epriestley lowered the priority of T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045] from "High" to "Low".

This appears to be the fix:

Dec 26 2016, 4:51 PM · Mail, Security
epriestley created T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045].
Dec 26 2016, 4:14 PM · Mail, Security

Dec 12 2016

epriestley closed T4439: Set up SPF records for domains we control as "Resolved".

This got done at some point, I believe, since we have an SPF record now.

Dec 12 2016, 9:44 PM · Mail, Security