Package: redmine
Version: 6.0.5+ds-1
Severity: grave
Tags: security upstream
Justification: user security hole

It is well known that the Redmine PDF creation for issues is broken
and is used regularly to run DoS attacks against public Redmine
instances. https://www.redmine.org/issues/3661

Just take a redmine tracker, append .pdf to the end of the issues and
when some of the issue doesn't immediately return a PDF, just run
wget/curl a couple of dozen times more against this URL. The server is
then gone (consuming resources and will cost you an arm+leg on a cloud
provider) and the apache/nginx proxy will just return a service outage
error ("504 gateway timed out").

People work around this by disabling PDF extensions in Apache:

RewriteEngine On
# Return HTTP 403 for any URL ending in .pdf - simply because Redmine
will hang forever and endlessly consume resources for the issue PDF
creation
RewriteRule \.pdf$ - [F,L,NC]


But it is a DoS-able bug in Redmine which either must be fixed or it
must be disabled by default.

_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Reply via email to