Carrot Disclosure: Forgejo
6 hours ago
- #forjejo-audit
- #disclosure-strategy
- #security-vulnerabilities
- The author found multiple security vulnerabilities in Forgejo after Fedora migrated from Pagure to Forgejo, including SSRF, lack of CSP/Trusted-Types, cryptographic issues, authentication flaws, DoS risks, information leaks, and TOCTOU problems.
- The vulnerabilities were chained together to achieve a full remote code execution (RCE), secret leaks, persistent account access, and OAuth2 privilege escalations, discovered in just one evening of work.
- The RCE exploit requires open registration and a specific non-default configuration, which reduces its widespread exploitability but is still present on some instances.
- The author decided not to disclose the bugs directly to Forgejo due to the poor state of the codebase and opted for a 'Carrot Disclosure' approach instead.
- The 'Carrot Disclosure' method involves publishing the redacted output of an exploit to pressure the vendor into conducting a holistic audit and fixing issues, with users called 'Bugs Bunnies'.
- Proof of concept includes executing a command that confirmed RCE, creating a backdoor admin account, and listing exploit scripts with hashes and file details.