Main site
Classification
loopholes
tool
Geeks
Web security
system security
cyber security
wireless security
Device/Client Security
Data Security
Security management
Enterprise security
Industrial control safety
feature
headlines
Characters
Activity
video
View
recruitment
Report
Information
Blockchain security
Standards and Compliance
Container security
Public class
Official public accountEnterprise securitySina Weibo
FreeBuf.COM, the network security industry portal, publishes professional security information and technical analysis every day.
FreeBuf+ applet
Recently, the code hosting website GitHub was exposed to a high-risk and serious vulnerability, which exists in the comment file upload system.Hackers can exploit this vulnerability to distribute various malware.Users can upload files to a specified GitHub comment (even if the comment does not exist), and a download link will be automatically generated. This link includes the name of the repository and its owner, potentially tricking victims into thinking the file is legitimate.
For example, the URL address of a file uploaded to GitHub can indicate that it is from Microsoft, but in fact the relevant content is never mentioned in the project code. IT Home attaches two cases as follows:
https//github()com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip https//github()com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
Moreover, this vulnerability does not require any complex professional skills. You only need to upload malicious files to the specified comment. An attacker can upload malware in any trusted repository and then distribute it through a GitHub link.
Moreover, these links belong to the official GitHub URL domain name, and the suffix is ​​”Microsoft” and other official repositories, so users are very likely to believe that the content of the URL download link is formal and safe.
GitHub has removed some links to the malware and has not yet fully fixed the vulnerability. For developers, there is currently no effective enough way to prevent this abuse. The only solution is to completely disable comments.
Article Source:https://www.ithome.com/0/763/606.htm
This article is Independent point of view, no reproduction without permission, please contact FreeBuf customer service XiaoBee for authorization, WeChat: freebee2022
GIPHY App Key not set. Please check settings