Sensitive information is stored in browser history
We received a report from an external security research that pages with sensitive information are stored in the browser history. Please see the full report below.
Title: Unauthorized users may be able to view almost all informations related to Private projects. Scope: None Weakness: Information Disclosure Severity: Medium (4.6) Link: https://hackerone.com/reports/407763 Date: 2018-09-09 16:40:04 +0000 By: @8ayac
Summary: On the most of pages related to Private projects, cache control is inadequate, so the contents of Private projects may leak to unauthorized users.
For visibility of projects, you can select
Among them, Private projects can only be viewed from project members. (In other words, it can not be viewed by who are not project members.)
In also GitLab Documentation, it is mentioned as follows:
Private projects can only be cloned and viewed by project members, ...
However, due to inadequate cache control on the most of pages related to Private projects, an attacker may view these contents using the 'Back' button in browser. In addition, users without logging in can also exploit this problem.
Note: This issue supports all modern browsers.
Steps To Reproduce:
- Sign in to GitLab.
- Click the "[+]" icon.
- Click "New Project".
- Fill out "Project name" form with "PoC".
- Check the check box of "Private".
- Click "Create project" button.
- Sign out from Gitlab.
- Hit the "Back" button in browser.
Result: The content of the private project "PoC" is displayed without logging in.
This issue leads to information leakage. Cache control is inadequate on the most pages related to Private projects. Therefore, almost all contents of Private project may leak.
Although the exploitation needs physical access to the victim's PC, It is not very difficult to access someone's PC in the following scenes:
- Office scenario
- Laptop case
The examples of critical information that may leak are as follows:
- List of file names
- Source code
- Commit log
- Contents of the wiki
Note: The official document specifies that they will not be viewed by unauthorized users.