Stored XSS in merge request pages
State Resolved (Closed)
Disclosed publicly 2018-12-03T22:15:49.225Z
Reported To
Weakness Cross-site Scripting (XSS) - Stored
Bounty
Collapse


Timeline
submitted a report to GitLab .
2018-09-13T10:56:07.365Z

Summary:
I found a Stored XSS in merge request pages.

Description:
The exploit is via the parameter merge_request[source_branch] of the request to create a New Merge Request.

Steps To Reproduce:

  1. Sign ikn to GitLab.
  2. Click the "[+]" icon.
  3. Click "New Project".
  4. Fill out "Project name" form with "test-project".
  5. Check the radio button of "Public".
  6. Check the "Initialize repository with a README".
  7. Click "Create project" button.
  8. Go to "http(s)://{GitLab host}/{user id}/test-project/branches/new".
  9. Fill out each form as follows:
    • Branch name: test-branch
    • Create from: master
  10. Click "Create branch" button.
  11. Go to "http://{GitLab host}/{user id}/test-project/merge_requests".
  12. Click "Create merge request" button.
  13. Click "Submit merge request" button.
  14. Intercept the request.
  15. Change the merge_request[source_branch] parameter's value to <img/src=x onerror=alert(1)>
  16. Send the request.

Result: poc.png

Note: This behavior can be reproduced on all modern browsers.

Impact

The security impact is the same as any typical Stored XSS.

Thank you.

Regards,
Frans

jritchey Activities::Comment
2018-09-13T21:20:55.008Z
Hi @8ayac , Thank you for submitting this report. We are currently investigating the issue. Due to our current workload, we will get back within the next week with an update. Best regards, James


jritchey Activities::Comment
2018-09-14T21:47:56.397Z
Hi @8ayac , Thank you for submitting this report. I've validated that this is a persistent XSS issue. We are working internally on mitigating the issue at https://gitlab.com/gitlab-org/gitlab-ce/issues/51527. The issue will be made public 30 days after a patch has been released. We will keep you updated on our progress via HackerOne. Best regards, James


jritchey Activities::BugTriaged
2018-09-14T21:48:29.512Z


8ayac Activities::Comment
2018-11-07T14:23:26.262Z
@jritchey, Fixed it?


dappelt Activities::Comment
2018-11-08T18:34:11.216Z
Hi @8ayac, the issue was fixed in GitLab version 11.4.3, 11.3.8, and 11.2.7. Thank you again for the report. Best regards, Dennis


8ayac Activities::Comment
2018-11-08T19:34:52.088Z
@dappelt, OK, Thanks. @jritchey, The issue has already been fixed. Can not you close this report yet?


dappelt Activities::BugResolved
2018-11-13T12:20:54.240Z
Hi 8ayac, I am closing the report. Thank you again for reporting. Best regards, Dennis


8ayac Activities::Comment
2018-11-13T13:52:18.789Z
Thank you @dappelt for closing this report.


8ayac Activities::Comment
2018-11-30T08:37:57.868Z
Hi @jritchey, May I publish this report? Thanks.


jritchey Activities::AgreedOnGoingPublic
2018-12-03T19:55:39.839Z
@8ayac , Yep, let's set to public. Best regards, James


8ayac Activities::AgreedOnGoingPublic
2018-12-03T22:15:49.190Z


8ayac Activities::ReportBecamePublic
2018-12-03T22:15:49.251Z