| |||||||||||||
GitHub incidents spawns Rails security debateGitHub incidents spawns Rails security debatePosted Mar 8, 2012 20:31 UTC (Thu) by geuder (subscriber, #62854)Parent article: GitHub incidents spawns Rails security debate
Thanks for the clearly written article.
I think besides entering faked dates there was also another track about unauthorized uploading of SSH public keys. That sounded much more dangerous in the github case then setting a nonsense date. Is that technically the same vulnerability (maybe just faking a new comitter value and uploading afterwards through "legal" channels?) or a different issue?
(Log in to post comments)
GitHub incidents spawns Rails security debate Posted Mar 9, 2012 7:21 UTC (Fri) by khim (subscriber, #9252) [Link] It's the same issue just with different form.
GitHub incidents spawns Rails security debate Posted Mar 9, 2012 8:25 UTC (Fri) by mp (subscriber, #5615) [Link]
It's also mentioned in the article. See the last paragraph of the Mass assignments section.
GitHub incidents spawns Rails security debate Posted Mar 9, 2012 10:24 UTC (Fri) by geuder (subscriber, #62854) [Link]
True, my bad. Obviously it worked just like I speculated.
(I remember reading the sentence with the HACKED file, but did not think much about it. When I was done with the article I wondered about the ssh public key thing, searched for "ssh" and for "key", and when none gave a hit I asked. Suitable intellectual performance for 9pm on the bus, hopefully it would have been better during the day ;)
|
|||||||||||||