SSRF in Prometheus integration
HackerOne report #427364 by bull on 2018-10-23:
Hi,
I have found an issue which can be used by an attacker to make internal request to localhost i.e 127.0.0.1 and all local ip range.
Issue:
So the problem here is it blocks localhost url input, but providing external links and if it redirects, the gitlab doesn't make any check after redirect and make request to internal network. i can also evade path with #
POC:
- log into gitlab and create project and go to integrations
- now go to the prometheus integration and enter in the api url
http://bullbucket.s3-website-us-east-1.amazonaws.com/scuscscnhfdfssadqdq
which redirects tohttp://127.0.0.1:12345/ssrf/dbvdbhvdb/local#
- open netcat at port
12345
in gitlab ee to check if request is really made to internal network or not.
Screen_Recording_2018-10-23_at_8.14.36_PM.mov
Please let me know if you need any more information or if i missed something Thanks @bull
Impact
access to internal services
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Fix
Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2736
Edited by Reuben Pereira