Stored XSS in latest IE
HackerOne report #437119 by ruvlol on 2018-11-08:
Asset: my own git installation from this https://about.gitlab.com/install/#ubuntu guide
Hello Gitlab team! I found a stored XSS which occurs in latest IE due to not working X-Content-Security-Policy header.
How to reproduce:
- In project's wiki create a page, upload a SVG from attachments, leave it's markdown on page, save it.
- open created page, open SVG in new tab, copy url (should look like http://localhost/root/qwe/wikis/uploads/bd8b123ae5fff32a3585265d7c0408d1/SVG_XSS.svg)
- open this URL in latest IE
How to fix:
- Issue appears because X-Content-Security-Policy: default-src 'none' isn't treated in IE as it should be and leads to XSS issues. This may be fixed if you will return X-Content-Security-Policy: sandbox header.
Although it occurs in self hosted installations, gitlab.com itself is not vulnerable due to different way of hosting wikis' images accessible on same url (/wikis/uploads/bd8b123ae5fff32a3585265d7c0408d1/SVG_XSS.svg).
Impact
Stored XSS in latest IE in all git installations.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!