Skip to content

Failed mirror password leak in production.log and web GUI

HackerOne report #493735 by j-jam on 2019-02-10, assigned to estrike:

Summary

A maintainer of a project has the ability to mirror a repository. After creating a mirror using the git URL format (git://) and entering a password, this password is leaked in plain text if there is a problem updating the mirror. It is also written in plain text in the GitLab server production log: /var/log/gitlab/gitlab-rails/production.log

PoC Setup

Local install of the latest version of GitLab on Ubuntu 18.04 LTS x64. Using testuser1 as the user account on the testuser-secret private project

PoC

-Login as testuser1 and navigate to the testuser1-secret project, select the Repository option from the Settings menu and then Mirror a repository. Enter in the following details:

Git repository URL: git://testuser1@192.168.0.16/testuser1/testuser1-secret.git  
Mirror direction: push  
Authentication method: password  
Password: passwordleak

Click on Mirror repository

image1-repo_setup.PNG

-Once the mirror is created, you will see the Git url has the password masked. Click on the update icon and a red box with Error written in it will appear. Hover over this box and the Git url will be highlighted in the error message with the password in plaintext

image2-passwordleak.PNG

Note. I assume the repo has failed to mirror as I specified an existing project or it was because I was using a private IP address

-On the GitLab server, access the following log and you will see the password has been written in plaintext there as well: /var/log/gitlab/gitlab-rails/production.log

image3-logfile.PNG

Note. The password is also written in plaintext in the gitlaly/current and /sidekiq/current logs as well

-It should also be noted that when importing a new project via URL, and if there is an issue with connecting to a remote repository with authentication, the password is leaked again in plaintext but only in the /var/log/gitlab/gitaly/current log. If you would like further screenshots or a PoC with this then let me know.

Impact

The impact of this vulnerability is that other maintainer level users can view a password of a faulty mirror that could have been set by another maintainer. The passwords are also now accessible to whomever has the necessary access to the GitLab server log files. The log files will most likely also be shipped to a central syslog server for analysis in most Enterprise environments, thus exposing the password there as well.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!