Unauthorized users may be able to view almost all informations related to Private projects.
State Resolved (Closed)
Disclosed publicly 2018-12-03T22:15:29.740Z
Reported To
Weakness Information Disclosure
Bounty
Collapse


Timeline
submitted a report to GitLab .
2018-09-09T16:40:04.208Z

Summary:
On the most of pages related to Private projects, cache control is inadequate, so the contents of Private projects may leak to unauthorized users.

Description:
For visibility of projects, you can select Public, Internal, and Private.
Among them, Private projects can only be viewed from project members. (In other words, it can not be viewed by who are not project members.)
In also GitLab Documentation, it is mentioned as follows:

Private projects can only be cloned and viewed by project members, ...

However, due to inadequate cache control on the most of pages related to Private projects, an attacker may view these contents using the 'Back' button in browser.
In addition, users without logging in can also exploit this problem.

Note: This issue supports all modern browsers.

Steps To Reproduce:

  1. Sign in to GitLab.
  2. Click the "[+]" icon.
  3. Click "New Project".
  4. Fill out "Project name" form with "PoC".
  5. Check the check box of "Private".
  6. Click "Create project" button.
  7. Sign out from Gitlab.
  8. Hit the "Back" button in browser.

Result: The content of the private project "PoC" is displayed without logging in.

Impact

This issue leads to information leakage.
Cache control is inadequate on the most pages related to Private projects.
Therefore, almost all contents of Private project may leak.

Although the exploitation needs physical access to the victim's PC, It is not very difficult to access someone's PC in the following scenes:

  • Office scenario
  • Laptop case

The examples of critical information that may leak are as follows:

  • List of file names
  • Source code
  • Commit log
  • Issues
  • Contents of the wiki

Note: The official document specifies that they will not be viewed by unauthorized users.

Regards,
Frans

  • 0 attachments:
jritchey Activities::Comment
2018-09-11T21:17:35.034Z
Hi @8ayac , Thank you for submitting this report. We are currently investigating the issue. Due to our current workload, we will get back within the next week with an update. Best regards, James


dappelt Activities::Comment
2018-09-12T11:05:16.141Z
Hi @8ayac, I could reproduce the described behavior. We are working internally on resolving the issue at https://gitlab.com/gitlab-org/gitlab-ce/issues/51423. The issue will be made public 30 days after a patch has been released. We will keep you updated on our progress via HackerOne. Feel free to contact us anytime if you need an update. Best regards, Dennis


dappelt Activities::BugTriaged
2018-09-12T11:07:33.089Z


jritchey Activities::BugResolved
2018-10-29T14:18:52.972Z
Thanks again for reporting this @8ayac ! We've recently released the patch at https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/. Setting this issue to closed. I've requested to get some more swag sent your way. Please let me know if you don't receive the email with the swag code within a day or two. Best regards, James


8ayac Activities::Comment
2018-10-29T18:42:03.712Z
@jritchey, Thanks for more swag, I'm so happy! By the way, I hope to get a bounty, but what kind of discovery does it deserve in GitLab? Would not you give a bounty for any of my continuing reports? Thanks.


jritchey Activities::Comment
2018-10-30T03:39:34.578Z
@8ayac , For our public program we only offer swag. Though since you've reported a few good findings in the public program, I've invited you to our VIP program which for any future reports we reward bounties. Best regards, James


8ayac Activities::Comment
2018-10-30T05:11:23.768Z
Thanks @jritchey for your invitation.


8ayac Activities::Comment
2018-10-30T05:14:40.049Z
@jritchey , May I publish this report?


jritchey Activities::Comment
2018-10-30T05:28:30.940Z
@8ayac , Our policy is to make all security issues public 30 days after a patch has been released. So for this one, we can make it public on Nov 26th


8ayac Activities::Comment
2018-11-30T01:53:59.604Z
Hi @jritchey, Let's make this report public. Thanks.


jritchey Activities::AgreedOnGoingPublic
2018-12-03T19:56:21.502Z
@8ayac , Yep, let's set to public. Best regards, James


8ayac Activities::AgreedOnGoingPublic
2018-12-03T22:15:29.709Z


8ayac Activities::ReportBecamePublic
2018-12-03T22:15:29.758Z