Redmine

I'm no expert on rails, but running this: https://github.com/mhartl/find_mass_assignment
(more details: http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/)
on SVN rel 7639 gives rather scary output.

Yes but most of the time, RM checks that the user trying to update has the right to do so.

RM code seems pretty clean to me.

Yes but most of the time, RM checks that the user trying to update has the right to do so.

Well, most of the time is not always.

Let's examine simple example of what find_mass_assignment has found:

app/controllers/news_controller.rb
88 if request.put? and @news.update_attributes(params[:news])

Lets look at the model:

app/models/news.rb
class News < ActiveRecord::Base
belongs_to :project
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'

So we can modify project_id and author_id when updating the news item. This allows me to post news as any user (including admin and anonymous) and post news to other projects.

This might be not a serious attack, but this is just an example. Who knows, what other exceptions from "most of the time" might be.

In this specific case, there is a before_filter :authorize, :except => [:index] which will prevent you to update the news item if you don't have the right permission set.

What you say might be true if you have this permission for one project, then maybe you'll be able to change the author and even attach it to another project (not sure about the project because of another before_filter :find_project_from_association, :except => [:new, :create, :index]).

Indeed, you won't be able to set a different project, this is checked.

Etienne Massip wrote:

What you say might be true if you have this permission for one project, then maybe you'll be able to change the author and even attach it to another project (not sure about the project because of another before_filter :find_project_from_association, :except => [:new, :create, :index]).

Yes, that's what I meant. This is only true if I have a news item I can update.

Created an issue, so we can track all found vulnerabilities:
http://www.redmine.org/issues/10390

Etienne Massip wrote:

Indeed, you won't be able to set a different project, this is checked.

How did you check? I can reproduce it locally by adding the following line to the news update form

<input type="hidden" name="news[project_id]" value="ANY_PROJECT_ID_YOU_WANT_TO_POST_NEWS_TO">

John Yani wrote:

Etienne Massip wrote:

Indeed, you won't be able to set a different project, this is checked.

How did you check? I can reproduce it locally by adding the following line to the news update form

By reading the code but I fooled myself; you're right, it can be assigned to a different project.