[Fusionforge-general] CVE-2014-0468: vulnerability in FusionForge Apache configuration

Sylvain Beucler - Inria sylvain.beucler at inria.fr
Mon Mar 31 17:55:28 CEST 2014 

Hi,

Last week we discovered a vulnerability in the Apache configuration 
shipped with FusionForge, where the web server may execute scripts that 
the users would have uploaded in their raw SCM repositories (SVN, Git, 
Bzr...).

This vulnerability, labelled CVE-2014-0468, can be exploited if you 
provide file-level access (shell access, sftp access) to the /raw/ 
repositories (direct access bypassing the svn/git/etc. commands).
Note: scripts committed normally to the repositories may not be executed 
through this vulnerability.


A fixed configuration is available at:
https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=blob;f=src/etc/httpd.conf.d/plugin-generic.inc;hb=HEAD
and reproduced below for reference.

Since the installation process usually does not override configuration 
files (because they may have been customized), make sure you update your 
installed '/etc/<forge>/httpd.conf.d/plugin-generic.inc' file manually.

An updated 5.2 release is in preparation for new installations.
(5.1 reached end of support, but the fix also applies to that version)

Regards,
The FusionForge team.

-----

ScriptAliasMatch ^/plugins/([^/]*)/cgi-bin/(.*) {core/source_path}/plugins/$1/cgi-bin/$2

Alias {core/url_prefix}anonscm/ {core/data_path}/chroot/scmrepos/

<DirectoryMatch {core/data_path}/chroot/scmrepos/[^/]*>
   Options -Indexes
</DirectoryMatch>
<DirectoryMatch {core/data_path}/chroot/scmrepos/[^/]*/.*>
   # Enable directory index listing, but disable symlinks and CGI
   Options Indexes

   # Permit HTTP Auth for somewhat private projects (mechanism
   # other than the SCM anon bit in the forge)
   AllowOverride AuthConfig

   # Prevent cookie theft in case a script does manage to execute
   RequestHeader unset Cookie

   # Disable all scripting engines (taken from Savannah)
   # except for empty filenames == directory index
   <Files "?*">
     SetHandler default
   </Files>

   # Disable PHP5 explicitly for security (CVE-2014-0468)
   <IfModule mod_php5.c>
     php_admin_flag engine off
   </IfModule>
</DirectoryMatch>

-------------- section suivante --------------
Une pi?ce jointe HTML a ?t? nettoy?e...
URL: <http://lists.fusionforge.org/pipermail/fusionforge-general/attachments/20140331/432ead16/attachment.html>

More information about the Fusionforge-general mailing list