Security caution (possible information disclosure)¶
There is a big security issue in Redmine (which can be treated as a wrong configuration issue though)... It is related to what SCM Creator does so that’s why I have written this page.
An attacker can get access to sensitive data using local repositories functionality for all types of currently supported SCMs.
The most critical this issue is for the Filesystem SCM. Using this SCM an attacker can create a repository with path
/etc and gain access to server system configuration.
The issue with other SCMs is not so obvious but not less critical. Knowing (by e.g. guessing) server local path of a private repository and having management privileges in any project an attacker can gain access to other project’s private repository by specifying private repository path when adding. In addition to information disclosure this can be full write access to the private repository if Redmine.pm is configured.
- One can’t add existing local repository using SCM Creator’s “Create new repository” button! Native “Create” button however does allows doing this... but...
- Actually would allow!.. Now SCM Creator enforces
allow_add_local: falsewhich does not let Redmine native code to add existing local repositories.
- Before on project creation SCM creator picked up a repository if its name was equal to the project identifier... You can set
trueto enable the old behaviour.
- Disable Filesystem SCM! I mean it - do this! This SCM needs restrictions so you should really disable it untill Redmine guys fix it!
auto_create: truealong with
allow_pickup: false. This way one won’t be able to gain access to a repository by creating a project with a particular identifier.
- Grant “Manage repository” permission only to trusted users. Revoke it from untrusted.