Project details disclosure of restricted internal Projects/Groups(IDOR)
HackerOne report #441017 by vijay_kumar1110 on 2018-11-15:
##Summary & Description :
In the Project -- > settings -- > general -- > permissions you can restrict Access of Issues,repository, wiki etc to "Only project member " . Once you make these changes then no other user should be able to access your project repository or any related details. But there is API request of board list which is disclosing multiple Data about the project which should be restricted.
It discloses many details about the Lists , Labels , Milestones , users associated etc.
##Vulnerable API request : https://gitlab.com/-/boards/[Board_ID]/lists
##Sample JSON Response :
[{"id":2267641,"list_type":"backlog","position":null,"title":"Backlog","label":null,"user":null,"milestone":null},{"id":2267973,"list_type":"label","position":0,"title":"VGtestLabel1","label":{"id":8564533,"title":"VGtestLabel1","color":"#428BCA","description":"VGtestLabel","text_color":"#FFFFFF","type":"ProjectLabel","priority":1},"user":null,"milestone":null},{"id":2267642,"list_type":"closed","position":null,"title":"Closed","label":null,"user":null,"milestone":null},{"id":2301401,"list_type":"assignee","position":1,"title":"@bugcrowdtester1110","label":null,"user":{"id":3086512,"name":"bugcrowdtester","username":"bugcrowdtester1110","state":"active","avatar_url":"https://secure.gravatar.com/avatar/3432b4f342c49c4e307981dd40f99149?s=80\u0026d=identicon","web_url":"https://gitlab.com/bugcrowdtester1110","status_tooltip_html":null,"path":"/bugcrowdtester1110"},"milestone":null},{"id":2301402,"list_type":"milestone","position":2,"title":"VG test milstone","label":null,"user":null,"milestone":{"id":700538,"iid":1,"project_id":9201628,"title":"VG test milstone","description":"VG test milstone","state":"active","created_at":"2018-11-06T00:03:34.112Z","updated_at":"2018-11-06T00:03:34.112Z","due_date":"2018-11-15","start_date":"2018-11-07","web_url":"https://gitlab.com/vijaygangani11107/testproject2/milestones/1"}}]
Steps To Reproduce:
Take 2 different accounts to reproduce this issue.
1.Login from Victim account and create a project.
2.Keep the Project as internal/Public and set Only project members permission for Repository,Issues, Wiki,Snippet.
3.Go to CI/CD and disable the Public Pipeline too.
4.Now only member should be able to access issues and no other user should be able to access any details of Issues,Lists ,Milestones .
5.Now login from attacker account and go to the project.
6.Now you will notice that this user doesn't have access to Issues,Lists ,Boards etc section of the project.
7.Now Run above mentioned API request with valid project_name .
8.In the JSON response you will see Multiple Details Like mentioned in the Sample Response.
Supporting Material/References:
Let me know if you require one.
Impact
Project details disclosure of restricted internal Projects/Groups(IDOR)