Source Code Management Tools Affected by Severe Vulnerability
Three of the most popular version control systems (VCSs) used in managing source code projects are vulnerable to a flaw that allows an attacker to run code on a victim's platform, potentially leading to the theft of source code or the hijacking of the underlying machine.
Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an "ssh://" link. A URL in the form of "ssh://-oProxyCommand=some-command" allows an attacker to execute commands on the computer of the user performing the clone operation.
"While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, it is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger," the researcher added.
Recurity Labs privately disclosed the vulnerability to all affected vendors and waited until all released patches. Yesterday, the company went public with its discovery. Out of all platforms, Schneeweisz says that Subversion is the most vulnerable because the platform doesn't detect HTTP redirects in repository cloning operations.