SSRF in hipchat integration!
I have found an issue which can be used by an attacker to make internal request to localhost i.e 127.0.0.1 and all local ip range.
- log into gitlab and create project and go to integrations
- now go to hipchat integration and and enter in the serve
- and see error
wrong status line: \"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4\""
- i also confirmed in latest gitlab ee with netcat:
i can also evade path with
# and change post to get with
access to internal services
Timeline: 2018-09-04 07:18:31 +0000: @ bull (comment) I will let you know if i can escalate this any furthur.
Please let me know if you need any more information or if i missed something Thanks @ bull
2018-09-05 17:37:03 +0000: @asaba (user assigned to bug [team-only])
Security Team Comments
The server url is passed directly to the
HipChat::Client. It should be sanitized for localhost addresses and respect the