Gitlab : Information disclosure of Private and Internal Project/Groups on Gitlab.com (IDOR)
Company Information :
 |
GitLab Inc. is an open-core company that operates GitLab, a DevOps software package which can develop, secure, and operate software.
Bug Category :
Insecure direct object reference(IDOR ) :
Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.
Target Information :
https://gitlab.com
Gitlab Community Server
Gitlab Enterprise Server
Technical Details of the Bug :
In the Project -- > settings -- > general -- > permissions you can restrict Access of Issues,repository, wiki etc to "Only project member " . Once you make these changes then no other user should be able to access your project repository or any related details. But there is API request of board list which is disclosing multiple Data about the project which should be restricted.
It discloses many details about the Lists , Labels , Milestones , users associated etc.
It discloses many details about the Lists , Labels , Milestones , users associated etc.
[{"id":2267641,"list_type":"backlog","position":null,"title":"Backlog","label":null,"user":null,"milestone":null},{"id":2267973,"list_type":"label","position":0,"title":"VGtestLabel1","label":{"id":8564533,"title":"VGtestLabel1","color":"#428BCA","description":"VGtestLabel","text_color":"#FFFFFF","type":"ProjectLabel","priority":1},"user":null,"milestone":null},{"id":2267642,"list_type":"closed","position":null,"title":"Closed","label":null,"user":null,"milestone":null},{"id":2301401,"list_type":"assignee","position":1,"title":"@bugcrowdtester1110","label":null,"user":{"id":3086512,"name":"bugcrowdtester","username":"bugcrowdtester1110","state":"active","avatar_url":"https://secure.gravatar.com/avatar/3432b4f342c49c4e307981dd40f99149?s=80\u0026d=identicon","web_url":"https://gitlab.com/bugcrowdtester1110","status_tooltip_html":null,"path":"/bugcrowdtester1110"},"milestone":null},{"id":2301402,"list_type":"milestone","position":2,"title":"VG test milstone","label":null,"user":null,"milestone":{"id":700538,"iid":1,"project_id":9201628,"title":"VG test milstone","description":"VG test milstone","state":"active","created_at":"2018-11-06T00:03:34.112Z","updated_at":"2018-11-06T00:03:34.112Z","due_date":"2018-11-15","start_date":"2018-11-07","web_url":"https://gitlab.com/vijaygangani11107/testproject2/milestones/1"}}]
Steps To Reproduce:
Take 2 different accounts to reproduce this issue.
1.Login from Victim account and create a project.
2.Keep the Project as internal/Public and set Only project members permission for Repository,Issues, Wiki,Snippet.
3.Go to CI/CD and disable the Public Pipeline too.
4.Now only member should be able to access issues and no other user should be able to access any details of Issues,Lists ,Milestones .
5.Now login from attacker account and go to the project.
6.Now you will notice that this user doesn't have access to Issues,Lists ,Boards etc section of the project.
7.Now Run above mentioned API request with valid project_name .
8.In the JSON response you will see Multiple Details Like mentioned in the Sample Response.
Impact :
It was possible to View any Private project or Groups Information on Gitlab.
Timeline :
Nov 15th 2018: Report send to Gitlab product Security Team through Hackerone.
Nov 16th 2018 : Report Accepted and Triaged.
Feb 4th 2019 : Complete issue was resolved and confirmed.
Feb 4th 2019 : 2500$ Bounty Rewarded
Nov 16th 2018 : Report Accepted and Triaged.
Feb 4th 2019 : Complete issue was resolved and confirmed.
Feb 4th 2019 : 2500$ Bounty Rewarded
Comments
Post a Comment