Skip to content

Commit b51ee41

Browse files
committed
fix: Fix exposing password hashes in user edit page
When an administrator edits a user entry, the user's password hash is present on the edit page. This is unnecessary. But it exposes the hash to an administrator who could choose to try to brute-force the hash and use the password on other logins of that user. This is an issue for administrative users who have no access to the actual database on disk but access to the user edit web page.
1 parent bd2e85e commit b51ee41

11 files changed

+36
-24
lines changed

releases.moxie

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ r34: {
3434
security:
3535
- Fix path traversal vulnerability which allowed access to "/resources//../WEB-INF/". (CVE-2022-31268) This was fixed by updating Jetty. (issue-1409)
3636
- Fix exploit circumventing SSH authentication. Many thanks to András Veres-Szentkirályi (silentsignal.eu) for the report. (CVE-2024-28080)
37+
- Fix vulnerability exposing user password hashes to administrators when an administrator edits a user's properties. Many thanks to Gerhard Klostermeier (syss.de) for the report.
3738
fixes:
3839
- Fix crash in Gitblit Authority when users were deleted from Gitblit but still had entries (certificates) in the Authority. (issue-1359, pr-1435)
3940
- Fix tab-to-space conversion to work like tabs. (pr-1065 by @QuentinC)
@@ -97,6 +98,7 @@ r34: {
9798
- @xxl-cc
9899
- Egor Shchegolkov
99100
- András Veres-Szentkirályi
101+
- Gerhard Klostermeier
100102
}
101103

102104
#

src/main/java/com/gitblit/wicket/GitBlitWebApp.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ gb.teamMustSpecifyRepository = A team must specify at least one repository.
248248
gb.teamCreated = New team ''{0}'' successfully created.
249249
gb.pleaseSetUsername = Please enter a username!
250250
gb.usernameUnavailable = Username ''{0}'' is unavailable.
251-
gb.combinedMd5Rename = Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename.
251+
gb.combinedMd5Rename = This user is configured for combined-md5 password hashing. You must enter a new password on account rename.
252252
gb.userCreated = New user ''{0}'' successfully created.
253253
gb.couldNotFindFederationRegistration = Could not find federation registration!
254254
gb.failedToFindGravatarProfile = Failed to find Gravatar profile for {0}

src/main/java/com/gitblit/wicket/GitBlitWebApp_de.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ gb.teamMustSpecifyRepository = Ein Team muss mindestens einem Repository zugewie
248248
gb.teamCreated = Neues Team ''{0}'' erfolgreich angelegt.
249249
gb.pleaseSetUsername = Bitte geben Sie einen Benutzernamen an!
250250
gb.usernameUnavailable = Benutzername ''{0}'' ist nicht verf\u00fcgbar.
251-
gb.combinedMd5Rename = Gitblit ist f\u00fcr kombiniertes MD5-Passwort-Hashing konfiguriert. Sie m\u00fcssen beim Umbenennen des Kontos ein neues Passwort angeben.
251+
gb.combinedMd5Rename = Dieser Benutzer ist f\u00fcr kombiniertes MD5-Passwort-Hashing konfiguriert. Sie m\u00fcssen beim Umbenennen des Kontos ein neues Passwort angeben.
252252
gb.userCreated = Neuer Benutzer ''{0}'' erfolgreich angelegt.
253253
gb.couldNotFindFederationRegistration = Konnte Verbindungsregistrierung (Federation) nicht finden!
254254
gb.failedToFindGravatarProfile = Das Gravatar Profil f\u00fcr {0} konnte nicht gefunden werden

src/main/java/com/gitblit/wicket/GitBlitWebApp_es.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ gb.teamMustSpecifyRepository = Debe especificar al menos un repositorio para el
248248
gb.teamCreated = Nuevo Equipo ''{0}'' creado satisfactoriamente.
249249
gb.pleaseSetUsername = \u00A1Por favor, introduce un usuario!
250250
gb.usernameUnavailable = El usuario ''{0}'' no est\u00E1 disponible.
251-
gb.combinedMd5Rename = GitBlit est\u00E1 configurado para Hashes combinados md5. Debes introducir una nueva contrase\u00F1a para renombrar la cuenta.
251+
gb.combinedMd5Rename = El usuario est\u00E1 configurado para Hashes combinados md5. Debes introducir una nueva contrase\u00F1a para renombrar la cuenta.
252252
gb.userCreated = Nuevo usuario ''{0}'' creado satisfactoriamente.
253253
gb.couldNotFindFederationRegistration = \u00A1No se pudo encontrar el registro de federaci\u00F3n!
254254
gb.failedToFindGravatarProfile = Fallo al buscar el perfil Gravatar de {0}

src/main/java/com/gitblit/wicket/GitBlitWebApp_fr.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ gb.teamMustSpecifyRepository = Une \u00e9quipe doit d\u00e9finir au moins un d\u
248248
gb.teamCreated = La nouvelle \u00e9quipe ''{0}'' cr\u00e9\u00e9 avec succ\u00e8s.
249249
gb.pleaseSetUsername = Entrez un identifiant SVP !
250250
gb.usernameUnavailable = L'identifiant ''{0}'' est indisponible.
251-
gb.combinedMd5Rename = Gitblit est configur\u00e9 pour des mots de passe hash\u00e9s combined-md5. Vous devez entrer un nouveau mot de passe pour ce compte.
251+
gb.combinedMd5Rename = L'identifiant est configur\u00e9 pour des mots de passe hash\u00e9s combined-md5. Vous devez entrer un nouveau mot de passe pour ce compte.
252252
gb.userCreated = Le nouveau utilisateur ''{0}'' est cr\u00e9\u00e9 avec succ\u00e8s.
253253
gb.couldNotFindFederationRegistration = N'arrive pas \u00e0 joindre l'enregistrement de la f\u00e9d\u00e9ration !
254254
gb.failedToFindGravatarProfile = N'arrive pas trouver un profil Gravatar pour {0}

src/main/java/com/gitblit/wicket/GitBlitWebApp_it.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ gb.teamMustSpecifyRepository = Un gruppo deve specificare almeno un repository.
248248
gb.teamCreated = Nuovo gruppo ''{0}'' creato con successo.
249249
gb.pleaseSetUsername = Nome utente non specificato!
250250
gb.usernameUnavailable = Il nome utente ''{0}'' non è disponibile.
251-
gb.combinedMd5Rename = Gitblit è configurato per effettuare un hashing delle password di tipo combinato-md5. E' quindi necessario specificare una nuova password quando si rinomina un utenza.
251+
gb.combinedMd5Rename = Il nome utente è configurato per effettuare un hashing delle password di tipo combinato-md5. E' quindi necessario specificare una nuova password quando si rinomina un utenza.
252252
gb.userCreated = Nuovo utente ''{0}'' creato con successo.
253253
gb.couldNotFindFederationRegistration = Impossibile trovare la registrazione di federazione!
254254
gb.failedToFindGravatarProfile = Profilo Gravatar per {0} non reperito!

src/main/java/com/gitblit/wicket/GitBlitWebApp_nl.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ gb.teamMustSpecifyRepository = Een team moet minimaal één repositorie specific
248248
gb.teamCreated = Nieuw team ''{0}'' successvol aangemaakt.
249249
gb.pleaseSetUsername = Vul aub een gebruikersnaam in!
250250
gb.usernameUnavailable = Gebruikersnaam ''{0}'' is niet beschikbaar.
251-
gb.combinedMd5Rename = Gitblit is geconfigureerd voor combined-md5 wachtwoord hashing. U moet een nieuw wachtwoord opgeven bij het hernoemen van een account.
251+
gb.combinedMd5Rename = Gebruikersnaam is geconfigureerd voor combined-md5 wachtwoord hashing. U moet een nieuw wachtwoord opgeven bij het hernoemen van een account.
252252
gb.userCreated = Nieuwe gebruiker ''{0}'' succesvol aangemaakt.
253253
gb.couldNotFindFederationRegistration = Kon de federatie registratie niet vinden!
254254
gb.failedToFindGravatarProfile = Kon het Gravatar profiel voor {0} niet vinden

src/main/java/com/gitblit/wicket/GitBlitWebApp_no.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ gb.teamMustSpecifyRepository = Et team m\u00e5 ha minst et repository.
248248
gb.teamCreated = Team ''{0}'' opprettet.
249249
gb.pleaseSetUsername = Vennlist angi et brukernavn!
250250
gb.usernameUnavailable = Brukernavnet ''{0}'' er ikke tilgjengelig.
251-
gb.combinedMd5Rename = Gitblit er satt opp med combined-md5 passord hashing. Du m\u00e5 angi et nytt passord n\u00e5r du gir en konto et nytt navn.
251+
gb.combinedMd5Rename = Brukernavnet er satt opp med combined-md5 passord hashing. Du m\u00e5 angi et nytt passord n\u00e5r du gir en konto et nytt navn.
252252
gb.userCreated = Ny bruker ''{0}'' opprettet.
253253
gb.couldNotFindFederationRegistration = Kunne ikke finne federeringsoppf\u00F8ringen!
254254
gb.failedToFindGravatarProfile = Fant ikke gravatar-profilen for {0}

src/main/java/com/gitblit/wicket/GitBlitWebApp_pl.properties

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -246,8 +246,8 @@ gb.teamNameUnavailable = Nazwa zespo\u0142u ''{0}'' jest niedost\u0119pna.
246246
gb.teamMustSpecifyRepository = Zesp\u00F3\u0142 musi posiada\u0107 conajmniej jedno repozytorium.
247247
gb.teamCreated = Zesp\u00F3\u0142 ''{0}'' zosta\u0142 utworzony.
248248
gb.pleaseSetUsername = Wpisz nazw\u0119 u\u017Cytkownika!
249-
gb.usernameUnavailable = Nazwa u\u017Cytkownika''{0}'' jest niedost\u0119pna.
250-
gb.combinedMd5Rename = Gitblit jest skonfigurowany na po\u0142\u0105czone haszowanie hase\u0142 md5. Musisz wpisa\u0107 nowe has\u0142o przy zmianie nazwy konta.
249+
gb.usernameUnavailable = Nazwa u\u017Cytkownika ''{0}'' jest niedost\u0119pna.
250+
gb.combinedMd5Rename = Nazwa u\u017Cytkownika jest skonfigurowany na po\u0142\u0105czone haszowanie hase\u0142 md5. Musisz wpisa\u0107 nowe has\u0142o przy zmianie nazwy konta.
251251
gb.userCreated = U\u017Cytkownik ''{0}'' zosta\u0142 utworzony.
252252
gb.couldNotFindFederationRegistration = Nie mo\u017Cna znale\u017A\u0107 rejestracji federacji!
253253
gb.failedToFindGravatarProfile = B\u0142\u0105d podczas dopasowania profilu Gravatar dla {0}

src/main/java/com/gitblit/wicket/GitBlitWebApp_pt_BR.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -247,7 +247,7 @@ gb.teamMustSpecifyRepository = Uma equipe deve especificar pelo menos um reposit
247247
gb.teamCreated = Nova equipe ''{0}'' criada com sucesso.
248248
gb.pleaseSetUsername = Por favor entre com um username!
249249
gb.usernameUnavailable = Username ''{0}'' est\u00e1 indispon\u00edvel.
250-
gb.combinedMd5Rename = Gitblit est\u00e1 configurado para usar um hash combinado-md5. Voc\u00ea deve inserir um novo password ao renamear a conta.
250+
gb.combinedMd5Rename = Username est\u00e1 configurado para usar um hash combinado-md5. Voc\u00ea deve inserir um novo password ao renamear a conta.
251251
gb.userCreated = Novo usu\u00e1rio ''{0}'' criado com sucesso.
252252
gb.couldNotFindFederationRegistration = N\u00e3o foi poss\u00edvel localizar o registro da federa\u00e7\u00e3o!
253253
gb.failedToFindGravatarProfile = Falha ao localizar um perfil Gravatar para {0}

0 commit comments

Comments
 (0)