Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1
    • Merge requests 1
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #20974
Closed
Open
Created Aug 16, 2016 by Robert Speicher@rspeicherContributor

Urgent: ability to access all user authentication tokens, leads to RCE

  • Title: Urgent: ability to access all user authentication tokens, leads to RCE
  • Types: Information Disclosure, Privilege Escalation
  • Link: https://hackerone.com/reports/158330
  • Date: 2016-08-10 20:21:05 -0500
  • By: jobert

Details:

Vulnerability details

The project export feature serializes the user objects of team members and stores it in the project.json file. This object contains the authentication_token for every user, meaning that an attacker can simply go ahead and create a project on GitLab.com, add one of the admins of GitLab.com, create an export, and obtain the authentication token for that user.

Proof of concept

Follow these steps to reproduce the issue:

  • create a test account on a GitLab instance and create a temporary repository
  • invite an admin of the GitLab instance as a team member to the repository
  • go to the repository settings and create an export
  • wait a few minutes until you received the export email
  • now go to http://gitlab-instance/account/repo/download_export
  • unzip the downloaded file and examine projects.json - the project_members will contain the user object that contains the authentication_token

Here's the first few bytes of rspeicher (sorry Robert) his authentication token on GitLab.com: [redacted]. Someone could get access to GitLab's admin panel by extracting the token of an admin and go to https://gitlab.com/admin/users?authentication_token=. From what I've seen on my own GitLab instance, this leads to RCE and gives me access to all code in private repositories. Let me know if you need more information!

Assignee
Assign to
Time tracking