Pagure Server Symbolic Link Vulnerability Leading to Arbitrary File Write

A vulnerability in Pagure server allows malicious users to exploit symbolic links in git repositories. When such a repository is submitted, the server may inadvertently access and reveal content from outside the repository. This issue arises because the Pagure method '_update_file_in_git()' follows symbolic links, potentially leading to unauthorized file writes on the server. The vulnerability was introduced in Pagure version 0.1.11 and is present in the latest development version.

Impact

Exploitation of this vulnerability allows for arbitrary file writes on the Pagure server. This could be leveraged to execute arbitrary code, as demonstrated by the reporter who gained code execution by overwriting a user profile file.

Reproduction

To reproduce this vulnerability, create a new repository on a Pagure server and clone it locally. From the local clone, create a symbolic link pointing to an arbitrary location, commit the change, and push it back to the Pagure server. Then, through the web interface, edit the file linked by the symbolic link. The content will be written to the location pointed to by the link, effectively exploiting the vulnerability.

Remediation

The vulnerability has been fixed in Pagure. Users should update to the latest version.