User: Password:
|
|
Subscribe / Log in / New account

GitHub incidents spawns Rails security debate

GitHub incidents spawns Rails security debate

Posted Mar 8, 2012 20:31 UTC (Thu) by geuder (subscriber, #62854)
Parent article: GitHub incidents spawns Rails security debate

Thanks for the clearly written article.

I think besides entering faked dates there was also another track about unauthorized uploading of SSH public keys. That sounded much more dangerous in the github case then setting a nonsense date. Is that technically the same vulnerability (maybe just faking a new comitter value and uploading afterwards through "legal" channels?) or a different issue?


(Log in to post comments)

GitHub incidents spawns Rails security debate

Posted Mar 9, 2012 7:21 UTC (Fri) by khim (subscriber, #9252) [Link]

It's the same issue just with different form.

GitHub incidents spawns Rails security debate

Posted Mar 9, 2012 8:25 UTC (Fri) by mp (subscriber, #5615) [Link]

It's also mentioned in the article. See the last paragraph of the Mass assignments section.

GitHub incidents spawns Rails security debate

Posted Mar 9, 2012 10:24 UTC (Fri) by geuder (subscriber, #62854) [Link]

True, my bad. Obviously it worked just like I speculated.

(I remember reading the sentence with the HACKED file, but did not think much about it. When I was done with the article I wondered about the ssh public key thing, searched for "ssh" and for "key", and when none gave a hit I asked. Suitable intellectual performance for 9pm on the bus, hopefully it would have been better during the day ;)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds