We use gitlab ultimate at my work, I’m the main admin of the instance. Like 2 weeks ago when there was the cvss 10 vuln, gitlab sent us a .patch file to apply to the instance instead of releasing a new minor cause they didn’t wanna make the vuln public yet. I guess that’s coordinated disclosure, but I still found that remarkably jank.
deleted by creator
Yum upgrade. Nightly. Since about v9.
Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
Jesus Christ. Their frontend was sending a list of recipients to the backend. That’s an intern developer level of fuck up, in their login system, no less.
If this got past them, it’s a sign of deep problems.
Can you explain in a bit more detail what you understand was happening?
Not the commenter but it seems like the parameters of the HTTP Get/Post weren’t protected/checked. The API was likely something like: Email to reset: string(email account to reset) But it accepted something like: [string(email account to reset), string (email to which the reset mail is sent to)]
Little Bobby Tables? Or would that be an XHR attack?
Bobby table, this, buffer overflow… Are all similar in spirit.
Bobby table is a way for hiding the malicious SQL query after a normal query (in that case after the select with “Bobby” you inject the malicious drop table)
In this case after the normal email (that normally would serve for both identifying the user and for the mail to send the recovering mail), the attacker sends two mails, the first is fo identifying the user the second to send the recovering mail
In the case of buffer overflow you inject malicious code after normal(-ish) data
It’s not an XHR attack since for the mail recovery workflow you don’t need an authenticated session.
To be a bit more compassionate to the developers, this is probably some dynamic typing problem. Probably ruby is “smart” into understand that an array can contain strings after all… So an array of strings is as good as a string… But here we go into static vs dynamic typing… And it’s a bit of religious war (fun fact in 2011 i was advocating with Guido Van Rossum in having at least an optional static typing check in Python - at the time the discussion was how to make python faster/compiled - and he was borderline mocking me 😅 and few years after pytypes but still no compilation at horizon 😂)
Thanks for the explanation, my friend!
My problem is that I am a hopeless generalist (which basically means I invariably find myself in support positions rather than what I actually should be doing), and IT is an endless jungle. I’m too curious for my own good.
There was a chap on here the other day who said they hate 2fa and don’t need it because they use passwords that are 50 characters and generated by the password manager.
This is a perfect example of why you should always activate it when possible.
One of the biggest issues with 2fa is that normally it’s either an easily spoofable phone/email or an app locked to a device.
This is why I use a password manager (pass) that is synced across all of my devices (via a private self hosted git for version control) that I can send 2fa QR codes to cameraless devices via screenshots using zbarimg and have every device capable of 2fa verification with the pass-otp extension.
I know this setup is a bit complicated as just dealing with git or importing a gpg key would give most people I know sense of existential dread. I am curious to see what others use for similar functionality.
Is that second factor, though? If I understand it right, you are basically generating your MFA from your password manager, is that so?
I’m just using my password manager in place of the authenticator app.
So rather than using an app like Google authenticator or Authy to see what the new random sequence is for the MFA, my password manager stores that QR as a string and will display the same random sequence that a normal MFA app would.
They key difference is that my MFA is synced across any device that I have configured my password manager on using the same cryptographic keys and version control history.
So if my phone is dead, lost, or stolen, I can still access my banking account via MFA as normal.
I suppose it brings up the idea of what a “factor” is in how it’s used for MFA. If a factor is supposed to be a different device, a different app on the same device as your password manager, or just a different passphrase that’s constantly changing.
I see. IIRC from school, “factor” actually has a definition - it’s either something you have (keycard, phone), something you are (biometrics) or something you know (password).
For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that’s also why I.e email isn’t really a MFA.
So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).
It’s still two separate passwords so I think it qualifies as 2 factors.
But yes the password manager has one gpg key which only has one passphrase used to decrypt the passwords saved in the password manager. So if that was compromised then so would all passwords
bruh, feels like gitlab has security update every other day, it’s some bullshit even for a project this size. And who knows how many 0-days are around.
And their license cost increases at almost the same rate.
No it doesn’t. Gitlab’s pricing has been pretty stable, with one increase in the premium tier in the past six years ($19 --> $29 per user per month).
There were more increases, they just changed the tier names and billing terms, so it’s somewhat hard to find historical information of previous prices. Our company ditched it after the 52% increase in 2023, especially because we were still adjusting to the price increase from 2021, which for us was $6 per user per month. I think in 2018 or 2019 it was $3 per user per month, so there must have been another increase that happened between 2018 and 2021. This was all for self hosted, so we had the additional cost of hardware and to maintain the services.
I really wanted to support GitLab, but the price simply became too much to justify.
