Hi
Today we where privately informed about a miss-configured OAuth callback
URL in our GitHub application. We only allow it's use for repository
import, so it is not widely uses. This miss-configuration allowed a
covert redirect vulnerability[1] and possible account takeover of any
account using the integration. We quickly changed that setting to a
better suited value.
During the discussion we where informed that GitHub overall does pretty
loose checking of the callback or redirect URL. They accept all
sub-resources and, more problematic, all sub-domains.[2] If you
configure the URL to
https://example.com/users, it will happily accept:
-
https://example.com/users/bla
-
https://bla.example.com/users
We host services on sub-domains of salsa.debian.org. I was not able to
verify quickly that none of those services could help in this attack.
So I decided to disable the integration for now.
Sorry about any inconvenience.
Regards,
Bastian
[1]:
https://oauth.net/advisories/2014-1-covert-redirect/
[2]:
https://hackerone.com/reports/292825
-----BEGIN PGP SIGNATURE-----
iQFiBAABCgBMFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAl7Y3DEuFIAAAAAAFQAQ cGthLWFkZHJlc3NAZ251cGcub3Jnd2FsZGlAZGViaWFuLm9yZwAKCRBtk4iFimn+ UV4VCADELH5x4VMKeofKsAnvIH1xg0sgSNk6+5MuEWOv40VoDxDpoM+toR9dF/X5 nbvW0oNYxkbMyWPy86eg7jd0v05iW1fFqDUt2BoFAB64s4ZqPqX+9thc3W6d6t5o b0U/NpDHCQBjuED6FAvHhNVlZxn21M3NDgvVuuoJyvU+Tu+YMCz/Fj41JbFSO1IR x7dntFPit4m8SDDkj21VXVV6n6lIv/leqTrXwc0zPjZU7tq/o3Aei9L0OJNc1K0G sw+3rHL2LBlr/bJq7SmHw5i3RBgaaMpViJMnToCMFmDdDNjYZ2xw9nOvZimqn8j0 0rI6WY0gKzXMRHWgWZFCafgEIYS9
=004V
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)