Promoting a milestone is missing an authorization check
We received a report from an external security research that the functionality for promoting a milestone is missing an authorization check. The report can be found at https://hackerone.com/reports/406390. In summary, a project member in the guest role can promote a project milestone to a group milestone.
I could reproduce the reported behavior and believe it is a bug.
Please find the full report below.
Title: Guest role user can promote open milestones in project
Scope: *.gitlab.com
Weakness: Privilege Escalation
Severity: No Rating
Link: https://hackerone.com/reports/406390
Date: 2018-09-06 08:50:02 +0000
By: @sandeep_hodkasia
Details:
NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary: Guest role user can promote open milestones in project.
Description: Guest role user were not allowed to either edit, create or delete milestone in project. But privilege escalation on the vulnerable request allows guest role user to promote open milestone in project. And once the milestone is promoted it will available for all the projects inside the group and this process can't be reversed.
##Vulnerable request:
POST /sandeep01/test/milestones/4/promote HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/sandeep01/test/milestones/4
X-CSRF-Token: xxxx
X-Requested-With: XMLHttpRequest
Cookie: xxxxx
Connection: close
Content-Length: 28
{"params":{"format":"json"}}
Steps To Reproduce:
- add new project in group.
- Add guest member in project.
- create new milestone in project.
- Replay vulnerable request in burp suite using new guest role user session.
- Change group name (sandeep01), project name (test) and milestone number (4) in the vulnerable with your account data.
- HIT API
- Milestone will be promoted.
Impact
Guest role user can promote open milestones in project