Ability to access all user authentication tokens via project import/export
Vulnerability types: Information Disclosure and Privilege Escalation.
The project export feature serializes the user objects of team members and stores it in the
project.json file. This object contains the
authentication_token for every user, meaning that an attacker can simply go ahead and create a project on GitLab.com, add one of the admins of GitLab.com, create an export, and obtain the authentication token for that user.
Proof of concept
Follow these steps to reproduce the issue:
- create a test account on a GitLab instance and create a temporary repository - invite an admin of the GitLab instance as a team member to the repository - go to the repository settings and create an export - wait a few minutes until you received the export email - now go to http://gitlab-instance/account/repo/download_export - unzip the downloaded file and examine
project_memberswill contain the user object that contains the
Here's the first few bytes of
rspeicher (sorry Robert) his authentication token on GitLab.com:
ZyhqJr4XJZ.... Someone could get access to GitLab's admin panel by extracting the token of an admin and go to https://gitlab.com/admin/users?private_token=. From what I've seen on my own GitLab instance, this leads to RCE and gives me access to all code in private repositories. Let me know if you need more information!