[SECURITY ISSUE] CVE-2015-0260: API key of repository's creator exposed by get_repo API method

Kallithea Security Team security at kallithea-scm.org
Tue Feb 10 17:29:09 EST 2015 

Dear users,

We've discovered a security issue in Kallithea. If you encounter any
issues with applying the fix, don't hesitate to ask us. The details of
the security notice follow below.

Synopsis
========

A vulnerability has been found in Kallithea, allowing remote attacker
to gain access to the repositories with privileges of another existing
user.

Description
===========

The get_repo API method doesn't check the identity of the caller and
exposes all details about the repository "followers" regardless of
whether they have access to such data or not.

The structures returned by this method contain such sensitive
information as last login timestamp, IP addresses, authentication
method details and private API access keys:

    "followers": [
        {
            "active": true,
            "admin": true,
            "api_key": "f5****9c",
            "api_keys": [
                "f5*****9c"
            ],
            "email": "user.name at company.com",
            "emails": [
                "user.name at company.com"
            ],
            "extern_name": "username",
            "extern_type": "pam",
            "firstname": "User",
            "ip_addresses": [],
            "last_login": "2015-02-08T18:17:39",
            "lastname": "Name",
            "user_id": 3,
            "username": "username"
        }

Impact
======

The exposed information allows attacker to track users and gain access
to the repositories using their API keys. In the case the user also has
administrator rights, it is possible for the attacker to gain full
administrator access to the Kallithea instance.

Workaround
==========

Users are advised to remove the API controller to prevent potential
attackers from accessing the API. This can be achieved by deleting or
commenting out lines 458-460 in kallithea/config/routing.py. An
alternative to that may be blocking or limiting access to /_admin/api
URLs in the configuration of the webserver or a front-end reverse proxy.

A patch to remove API controller may look like this:

    diff --git a/kallithea/config/routing.py
    b/kallithea/config/routing.py --- a/kallithea/config/routing.py
    +++ b/kallithea/config/routing.py
    @@ -455,9 +455,6 @@ def make_map(config):
         #==========================================================================
         # API V2
         #==========================================================================
    -    with rmap.submapper(path_prefix=ADMIN_PREFIX,
    -                        controller='api/api') as m:
    -        m.connect('api', '/api')
     
         #USER JOURNAL
         rmap.connect('journal', '%s/journal' % ADMIN_PREFIX,

Resolution
==========

Kallithea project has released a patch fixing this issue by removing the
sensitive information from API calls. It is strongly recommended that
users apply this patch. The patch applies to both 0.1 release and the
latest Mercurial tip.

Unfortunately, this patch disables some API functionality where the
information exposure occured. We will continue seeking a solution which
prevents unauthorised access and at the time doesn't break existing API
functionality. As soon as such solution is developed, we'll notify our
users.

Users are also advised to re-set or remove all existing API keys from
the database. For the users having SQLite or PostgreSQL as the database
backend a possible way to do so is to run the following SQL statements:

    update users set api_key='disabled-'||random();
    update user_api_keys set api_key='disabled-'||random();

Affected versions
=================

The issue is currenly present in all available Kallithea versions. Also,
the issue affects publicly available versions of RhodeCode that support
JSON-RPC API interface.

References
==========

[1] CVE-2015-0260
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0260>

[2] Kallithea: Security Notice CVE-2015-0260
    <https://kallithea-scm.org/security/cve-2015-0260.html>

[2] Patch for the issue
    <https://kallithea-scm.org/security/cve-2015-0260.patch>

[3] Mercurial changeset fixing the issue
    <https://kallithea-scm.org/repos/kallithea/changeset/5923d74742879b812965568475e21c3496d722a9>

-- 
Cheers,
  Andrew Shadura
  on behalf of Kallithea Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150210/631faa90/attachment.sig>

More information about the kallithea-general mailing list