好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读文章,理解主要信息。 文章主要讲的是Fedora从Pagure迁移到Forgejo后,作者检查了Forgejo的安全性。结果发现了很多漏洞,比如SSRF、缺少CSP、模板问题、加密不当、认证机制缺陷等等。作者在一个晚上就找到了很多漏洞,并且 chaining 了这些漏洞,获得了RCE、秘密泄露等权限。 接下来,作者考虑了披露方式,选择了胡萝卜披露法,即公开部分信息激励厂商修复。文章最后展示了POC代码和结果。 现在我要把这些内容浓缩到100字以内。重点包括:迁移到Forgejo后发现大量安全漏洞,如SSRF、认证缺陷等;利用这些漏洞实现RCE;采用胡萝卜披露法公开部分信息;厂商需修复以避免用户流失。 确保语言简洁明了,不使用“这篇文章”等开头词。检查字数是否符合要求。 </think> Fedora迁移到Forgejo后,作者发现其存在严重安全漏洞,包括SSRF、认证缺陷和加密问题等,并成功 chaining 漏洞实现RCE和秘密泄露。作者采用胡萝卜披露法公开部分信息,激励厂商修复以避免用户流失。 2026-4-28 20:40:2 Author: dustri.org(查看原文) 阅读量:15 收藏
Since Fedora moved from Pagure to Forgejo, I finally had an incentive to take a good look at Forgejo's security posture. The results aren't pretty to be honest: SSRF in a lot of places, no CSP/Trusted-Types, a bit of ghetto templating in javascript, cryptographic malpractices, overlooks in the authentication mechanisms (OAuth2, OTP, sessions/access handling, post-compromission recovery, …), a bunch of low-hanging DoS, information leak all over the place, various TOCTOU, … All in all, it took me one evening after work to find a good amount of vulnerabilities (adding to the one I got from looking at gitea at some point in the past), and chain them to obtain a full-blown RCE, secrets leaks, persistent account access, OAuth2 privesc, …
Fortunately (or unfortunately depending who you're asking), the exploit relies on
open registration, and on a configuration option set to a non-default value
(which is the case on some instances I've looked at, so nothing exotic). This
means that the selling value is pretty low/nonexistent.
I could disclose the bugs to Forgejo, they even have a Security
Policy,
with a lot of MUST/MUST NOT about what I should do do should I decide to go
this way. But given the sorry state of the codebase, I'm pretty sure I could
spend another evening and find another chain. I could spend time fixing the
issues myself, but
oh
well.
I discussed the conundrum with a friend of mine, and was told to put my money where my mouth is, and just go with carrot disclosure:
Carrot Disclosure, dangling a metaphorical carrot in front of the vendor to incentivise change. The main idea is to only publish the (redacted) output of the exploit for a critical vulnerability, to showcase that the software is exploitable. Now the vendor has two choices: either perform a holistic audit of its software, fixing as many issues as possible in the hope of fixing the showcased vulnerability; or losing users who might not be happy running a known-vulnerable software. Users of this disclosure model are of course called Bugs Bunnies.
So without further ado:
$ python3 ./poc/chain_alpha.py --target http://127.0.0.1:3000 > out.txt
$ grep Backdoor out.txt
[+] Backdoor admin created: svc_ljeopgid / dukecepapsygiqks!A1
$ tail -n17 out.txt
================================================================
[+] COMMAND EXECUTION CONFIRMED!
================================================================
Server-side hook output (received via git push stderr):
remote: ==========================================
remote: FORGEJO RCE PoC - Command Execution Proof
remote: ==========================================
remote: hostname: chernabog
remote: uid: uid=1000(jvoisin) gid=1000(jvoisin) groups=1000(jvoisin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
remote: date: Tue Apr 28 19:16:59 UTC 2026
remote: proof: chernabog
remote: ==========================================
================================================================
$ sha256 ./poc/chain_alpha.py
c10d28a5ff74646683953874b035ca6ba56742db2f95198b54e561523e1880d7 ./poc/chain_alpha.py
$ ls -l ./poc
total 140
-rw-r--r--. 1 jvoisin jvoisin 23530 Apr 28 21:18 chain_alpha.py
-rw-r--r--. 1 jvoisin jvoisin 6382 Apr 28 01:14 chain_beta.py
-rw-r--r--. 1 jvoisin jvoisin 11410 Apr 28 21:54 chain_gamma.py
-rw-r--r--. 1 jvoisin jvoisin 10334 Apr 28 22:20 leak_secrets.py
-rw-r--r--. 1 jvoisin jvoisin 9171 Apr 28 23:15 merge.py
-rw-r--r--. 1 jvoisin jvoisin 83861 Apr 27 23:59 NOTES.md
$
如有侵权请联系:admin#unsafe.sh