I'm looking for a part-time remote job.

Hire me

I'm the author of:

Mastering Redmine is a comprehensive guide with tips, tricks and best practices, and an easy-to-learn structure.

Check the book's project or

Buy the book

Social pages of the book:

By buying this book you also donate to Redmine (see this page).

Follow me:

Security caution (possible information disclosure)

There is a big security issue in Redmine (which can be treated as a wrong configuration issue though)... It is related to what SCM Creator does so that’s why I have written this page.

An attacker can get access to sensitive data using local repositories functionality for all types of currently supported SCMs.

The most critical this issue is for the Filesystem SCM. Using this SCM an attacker can create a repository with path /etc and gain access to server system configuration.

The issue with other SCMs is not so obvious but not less critical. Knowing (by e.g. guessing) server local path of a private repository and having management privileges in any project an attacker can gain access to other project’s private repository by specifying private repository path when adding. In addition to information disclosure this can be full write access to the private repository if Redmine.pm is configured.

Any SCM, any version of Redmine is effected! Official workaround exists, but it’s not enforced!

Several issues were opened describing this vulnerability: e.g. #1415 and #10966.

What SCM Creator does to prevent exploiting this vulnerability:
  • One can’t add existing local repository using SCM Creator’s “Create new repository” button! Native “Create” button however does allows doing this... but...
  • Actually would allow!.. Now SCM Creator enforces allow_add_local: false which does not let Redmine native code to add existing local repositories.
  • Before on project creation SCM creator picked up a repository if its name was equal to the project identifier... Now it does not! You can set allow_pickup to true to enable the old behaviour.
What else can you do to protect your repositories:
  • Disable Filesystem SCM! I mean it - do this! This SCM needs restrictions so you should really disable it untill Redmine guys fix it!
  • Configure scm_<scm>_path_regexp in your configuration.yml.
  • Use auto_create: true along with allow_pickup: false. This way one won’t be able to gain access to a repository by creating a project with a particular identifier.
  • Grant “Manage repository” permission only to trusted users. Revoke it from untrusted.
Terms of use | Privacy policy