|
2020-08-19
| ||
| 00:19 | • Fixed ticket [56b82836ff]: RCE by exploting unchecked content of the ticket-table setting plus 5 other changes artifact: 45fcaaa15b user: drh | |
|
2020-08-17
| ||
| 14:09 | Set an authorizer when running the ticket-table SQL. Ticket [56b82836ffba9952]. check-in: fb41384045 user: drh tags: sec2020 | |
| 08:36 | • New ticket [56b82836ff] RCE by exploting unchecked content of the ticket-table setting. artifact: 02205983db user: drh | |
| Ticket Hash: | 56b82836ffba995245dabd8feecf4cba975a4a13 | ||
| Title: | RCE by exploting unchecked content of the ticket-table setting | ||
| Status: | Fixed | Type: | Code_Defect |
| Severity: | Critical | Priority: | Immediate |
| Subsystem: | Resolution: | Fixed | |
| Last Modified: |
2020-08-19 00:19:31 5.62 years ago |
Created: |
2020-08-17 08:36:19 5.62 years ago |
| Version Found In: | |||
| User Comments: | ||||
|
drh added on 2020-08-17 08:36:19:
On a clone (or on a "fossil config pull ticket") the SQL text in the ticket-table setting is run on the client, without restriction. A malicious server admin could put SQL in that setting that changes the value of other settings such as "ssh-command" and/or "last-sync-url" which could then cause arbitrary code to run the next time the victim did a "fossil pull". Problem discovered by Max Justicz. drh added on 2020-08-19 00:19:31: Add an authorizer to the ticket-table script processing. | ||||