Urgent: ability to access all user authentication tokens, leads to RCE

Title: Urgent: ability to access all user authentication tokens, leads to RCE
Types: Information Disclosure, Privilege Escalation
Link: https://hackerone.com/reports/158330
Date: 2016-08-10 20:21:05 -0500
By: jobert

Details:

Vulnerability details

The project export feature serializes the user objects of team members and stores it in the project.json file. This object contains the authentication_token for every user, meaning that an attacker can simply go ahead and create a project on GitLab.com, add one of the admins of GitLab.com, create an export, and obtain the authentication token for that user.

Proof of concept

Follow these steps to reproduce the issue:

create a test account on a GitLab instance and create a temporary repository
invite an admin of the GitLab instance as a team member to the repository
go to the repository settings and create an export
wait a few minutes until you received the export email
now go to http://gitlab-instance/account/repo/download_export
unzip the downloaded file and examine projects.json - the project_members will contain the user object that contains the authentication_token

Here's the first few bytes of rspeicher (sorry Robert) his authentication token on GitLab.com: [redacted]. Someone could get access to GitLab's admin panel by extracting the token of an admin and go to https://gitlab.com/admin/users?authentication_token=. From what I've seen on my own GitLab instance, this leads to RCE and gives me access to all code in private repositories. Let me know if you need more information!

- Title:	Urgent: ability to access all user authentication tokens, leads to RCE
- Types:	Information Disclosure, Privilege Escalation
- Link:	https://hackerone.com/reports/158330
- Date:	2016-08-10 20:21:05 -0500
- By:		jobert

Details:

# Vulnerability details
The project export feature serializes the user objects of team members and stores it in the `project.json` file. This object contains the `authentication_token` for every user, meaning that an attacker can simply go ahead and create a project on GitLab.com, add one of the admins of GitLab.com, create an export, and obtain the authentication token for that user.

# Proof of concept
Follow these steps to reproduce the issue:

- create a test account on a GitLab instance and create a temporary repository
 - invite an admin of the GitLab instance as a team member to the repository
 - go to the repository settings and create an export
 - wait a few minutes until you received the export email
 - now go to http://gitlab-instance/account/repo/download_export
 - unzip the downloaded file and examine `projects.json` - the `project_members` will contain the user object that contains the `authentication_token`

Here's the first few bytes of `rspeicher` (sorry Robert) his authentication token on GitLab.com: [redacted]. Someone could get access to GitLab's admin panel by extracting the token of an admin and go to https://gitlab.com/admin/users?authentication_token=<token>. From what I've seen on my own GitLab instance, this leads to RCE and gives me access to all code in private repositories. Let me know if you need more information!

Urgent: ability to access all user authentication tokens, leads to RCE

Vulnerability details

Proof of concept

Linked issues