SecurityTag
ActivePublic

Details

Description

Tasks related to enhancing the security of Phabricator.

Recent Activity

Tue, Feb 20

Herald updated subscribers of T5590: Change diffusion.allow-http-auth into an application policy and improve security features.
Tue, Feb 20, 10:01 PM · Security, Diffusion

Fri, Feb 16

epriestley added a comment to T13084: Phriction page links using URL encoding can be retargeted without editing.

A similar "attack" is to send a link to two destinations based on the viewer:

Fri, Feb 16, 2:41 PM · Phriction, Security
epriestley closed T13084: Phriction page links using URL encoding can be retargeted without editing as Wontfix.
Fri, Feb 16, 2:23 PM · Phriction, Security

Wed, Feb 14

epriestley removed a project from T6960: Support %P in qsprintf(): Phacility.
Wed, Feb 14, 1:09 PM · Security, Infrastructure

Thu, Feb 1

epriestley closed T13037: An attacker gained staff access to Mailgun and was able to read customer API keys as Resolved.

My call with Mailgun was generally reassuring. Based on an uncharitable reading of the January 5th disclosure, my major concern was that they might be starting from a cultural position which was blind to internal actors as threats and everyone just used root / hunter2 written on a sticky note to log in to everything or something like that.

Thu, Feb 1, 9:42 PM · Phacility, Security, Mail

Wed, Jan 31

epriestley closed T12800: When Excel opens a CSV file, it just runs whatever arbitrary code might be in the file as Resolved by committing rPf9336e56940f: Mangle cells that look a little bit like formulas in CSV files.
Wed, Jan 31, 11:33 PM · Security
epriestley added a comment to T13055: Maybe "translation.override" should be locked.

One attack is that you can override the content of email and then send invite or welcome mail that says whatever you want, whether the victim has a Phabricator account (welcome) or not (invite).

Wed, Jan 31, 12:33 PM · Config, Security
epriestley triaged T13055: Maybe "translation.override" should be locked as Low priority.
Wed, Jan 31, 4:20 AM · Config, Security
epriestley added a revision to T12800: When Excel opens a CSV file, it just runs whatever arbitrary code might be in the file: D18974: Mangle cells that look a little bit like formulas in CSV files.
Wed, Jan 31, 12:25 AM · Security

Tue, Jan 30

epriestley added a comment to T12800: When Excel opens a CSV file, it just runs whatever arbitrary code might be in the file.

This is relevant now that work related to T13049 has added CSV support.

Tue, Jan 30, 11:54 PM · Security
epriestley added a comment to T13037: An attacker gained staff access to Mailgun and was able to read customer API keys.

(They got back to me and we're scheduling a call.)

Tue, Jan 30, 7:01 PM · Phacility, Security, Mail
epriestley added a comment to T13037: An attacker gained staff access to Mailgun and was able to read customer API keys.

Mailgun has yet to respond to me after about three weeks, so I send them a followup.

Tue, Jan 30, 3:25 PM · Phacility, Security, Mail

Sat, Jan 27

epriestley moved T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045] from Backlog to Future on the Mail board.
Sat, Jan 27, 9:54 PM · Mail, Security
Herald updated subscribers of T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045].
Sat, Jan 27, 9:54 PM · Mail, Security
epriestley moved T13037: An attacker gained staff access to Mailgun and was able to read customer API keys from Backlog to Stamps/Failover on the Mail board.
Sat, Jan 27, 9:54 PM · Phacility, Security, Mail

Fri, Jan 26

epriestley added a commit to T13043: Improve authentication revocation behaviors: rP5529458e14eb: Add test coverage for SSH key revocation.
Fri, Jan 26, 3:47 AM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPdeb754dfe173: Make SSH key revocation actually prevent adding the same key back.
Fri, Jan 26, 3:43 AM · Phacility, Auth, Security

Jan 25 2018

epriestley added a revision to T13043: Improve authentication revocation behaviors: D18929: Add test coverage for SSH key revocation.
Jan 25 2018, 2:56 PM · Phacility, Auth, Security
epriestley added a revision to T13043: Improve authentication revocation behaviors: D18928: Make SSH key revocation actually prevent adding the same key back.
Jan 25 2018, 2:44 PM · Phacility, Auth, Security

Jan 23 2018

epriestley closed T13043: Improve authentication revocation behaviors as Resolved.

Add a temporary token revoker.
Add a session revoker.
Add an SSH key revoker.
Add a password revoker.
Add a VCS password revoker.

Jan 23 2018, 11:43 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPbf2868c07016: Rename "PhabricatorPasswordHashInterface" to….
Jan 23 2018, 10:06 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPd4b3cd5255b6: Document the "bin/auth revoke" tool.
Jan 23 2018, 10:02 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP3becd5a57c27: Add "bin/auth revoke --list" to explain what can be revoked.
Jan 23 2018, 10:01 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP21e415299f26: Mark all existing password hashes as "legacy" and start upgrading digest formats.
Jan 23 2018, 10:01 PM · Phacility, Auth, Security
epriestley added a commit to T12509: Plan the path forward from HMAC-SHA1: rP21e415299f26: Mark all existing password hashes as "legacy" and start upgrading digest formats.
Jan 23 2018, 10:01 PM · Infrastructure, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP13ef5c6f2314: When administrators revoke SSH keys, don't include a "security warning" in the….
Jan 23 2018, 10:00 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP026ec11b9d6b: Add a rate limit for guessing old passwords when changing passwords.
Jan 23 2018, 9:46 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: Restricted Diffusion Commit.
Jan 23 2018, 9:44 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPcab2bba6f2f7: Remove "passwordHash" and "passwordSalt" from User objects.
Jan 23 2018, 9:44 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPabc030fa008b: Move account passwords to shared infrastructure.
Jan 23 2018, 9:43 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPb8a515cb29d8: Bring new password validation into AuthPasswordEngine.
Jan 23 2018, 6:58 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPaa3b582c7b72: Remove "set password" from `bin/accountadmin` and let `bin/auth recover`….
Jan 23 2018, 6:58 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP5a8a56f414fc: Prepare the new AuthPassword infrastructure for storing account passwords.
Jan 23 2018, 6:57 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP753c4c5ff1ad: Remove the "PhabricatorRepositoryVCSPassword" class and table.
Jan 23 2018, 6:56 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPdd8f588ac51b: Migrate VCS passwords to new shared password infrastructure.
Jan 23 2018, 6:56 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPbb12f4bab718: Add test coverage to the PasswordEngine upgrade workflow and fix a few bugs.
Jan 23 2018, 6:55 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPc280c85772a3: Consolidate password verification/revocation logic in a new….
Jan 23 2018, 6:54 PM · Phacility, Auth, Security
epriestley added a comment to T13038: Meltdown and Spectre Speculative Branch Prediction Attacks.

The other thought I had was that using a cooperating subprocess and emitting signals to tell it to click a nanosecond-precision stopwatch might also make the attack more practical (or use pipes or domain sockets -- however you can get out of PHP with the lowest cost). They're probably all somewhat slow but likely better than microsecond-precision. Then you "just" need to get a cooperating binary onto the target host.

Jan 23 2018, 6:49 PM · Security
jboning added a comment to T13038: Meltdown and Spectre Speculative Branch Prediction Attacks.

Wow, I didn't mean for my two cents' worth of snark to cause such a stir! I do buy the argument that Phabricator isn't impacted by Meltdown/Spectre ("At least today, Herald rules are insufficiently expressive to allow an attacker to encode a speculative execution cache timing side channel attack.").

Jan 23 2018, 6:45 PM · Security
epriestley added a revision to T13043: Improve authentication revocation behaviors: D18916: Rename "PhabricatorPasswordHashInterface" to "PhabricatorAuthPasswordHashInterface".
Jan 23 2018, 4:12 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP42e2cd9af02e: Add a "--force" flag to `bin/auth revoke`.
Jan 23 2018, 4:12 AM · Phacility, Auth, Security
epriestley closed T4842: Log when a user's SSH keys are used and what IP accessed them as Resolved.

I believe this has been supported since D11543, in 2015. Specifically, log.ssh.format supports %k, and it appears to work as expected.

Jan 23 2018, 12:17 AM · Security, Diffusion, Auth

Jan 22 2018

epriestley added a commit to T13043: Improve authentication revocation behaviors: rP9c00a437848c: Add a more modern object for storing password hashes.
Jan 22 2018, 11:34 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rPfa1ecb7f6612: Add a `bin/auth revoke` revoker for SSH keys.
Jan 22 2018, 11:34 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP39c3b10a2f21: Add a `bin/auth revoke` revoker for sessions.
Jan 22 2018, 8:01 PM · Phacility, Auth, Security
epriestley added a commit to T13043: Improve authentication revocation behaviors: rP7970cf058517: Add a `bin/auth revoke` revoker for temporary tokens.
Jan 22 2018, 8:00 PM · Phacility, Auth, Security
epriestley added a revision to T13043: Improve authentication revocation behaviors: D18911: Document the "bin/auth revoke" tool.
Jan 22 2018, 6:15 PM · Phacility, Auth, Security
epriestley added a revision to T13043: Improve authentication revocation behaviors: D18910: Add "bin/auth revoke --list" to explain what can be revoked.
Jan 22 2018, 5:50 PM · Phacility, Auth, Security
epriestley added a revision to T12509: Plan the path forward from HMAC-SHA1: D18908: Mark all existing password hashes as "legacy" and start upgrading digest formats.
Jan 22 2018, 2:16 AM · Infrastructure, Security
epriestley added a revision to T13043: Improve authentication revocation behaviors: D18908: Mark all existing password hashes as "legacy" and start upgrading digest formats.
Jan 22 2018, 2:16 AM · Phacility, Auth, Security