Stored XSS in latest IE

HackerOne report #437119 by ruvlol on 2018-11-08:

Asset: my own git installation from this https://about.gitlab.com/install/#ubuntu guide

Hello Gitlab team! I found a stored XSS which occurs in latest IE due to not working X-Content-Security-Policy header.

How to reproduce:

1. In project's wiki create a page, upload a SVG from attachments, leave it's markdown on page, save it.
2. open created page, open SVG in new tab, copy url (should look like http://localhost/root/qwe/wikis/uploads/bd8b123ae5fff32a3585265d7c0408d1/SVG_XSS.svg)
3. open this URL in latest IE

How to fix:

1. Issue appears because X-Content-Security-Policy: default-src 'none' isn't treated in IE as it should be and leads to XSS issues. This may be fixed if you will return X-Content-Security-Policy: sandbox header.

Although it occurs in self hosted installations, gitlab.com itself is not vulnerable due to different way of hosting wikis' images accessible on same url (/wikis/uploads/bd8b123ae5fff32a3585265d7c0408d1/SVG_XSS.svg).

Impact

Stored XSS in latest IE in all git installations.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• SVG_XSS.svg
• IExss.png