Failed mirror password leak in production.log and web GUI
HackerOne report #493735 by j-jam
on 2019-02-10, assigned to estrike
:
Summary
A maintainer of a project has the ability to mirror a repository. After creating a mirror using the git URL format (git://) and entering a password, this password is leaked in plain text if there is a problem updating the mirror. It is also written in plain text in the GitLab server production log: /var/log/gitlab/gitlab-rails/production.log
PoC Setup
Local install of the latest version of GitLab on Ubuntu 18.04 LTS x64. Using testuser1 as the user account on the testuser-secret private project
PoC
-Login as testuser1 and navigate to the testuser1-secret project, select the Repository option from the Settings menu and then Mirror a repository. Enter in the following details:
Git repository URL: git://testuser1@192.168.0.16/testuser1/testuser1-secret.git
Mirror direction: push
Authentication method: password
Password: passwordleak
Click on Mirror repository
-Once the mirror is created, you will see the Git url has the password masked. Click on the update icon and a red box with Error written in it will appear. Hover over this box and the Git url will be highlighted in the error message with the password in plaintext
Note. I assume the repo has failed to mirror as I specified an existing project or it was because I was using a private IP address
-On the GitLab server, access the following log and you will see the password has been written in plaintext there as well: /var/log/gitlab/gitlab-rails/production.log
Note. The password is also written in plaintext in the gitlaly/current and /sidekiq/current logs as well
-It should also be noted that when importing a new project via URL, and if there is an issue with connecting to a remote repository with authentication, the password is leaked again in plaintext but only in the /var/log/gitlab/gitaly/current log. If you would like further screenshots or a PoC with this then let me know.
Impact
The impact of this vulnerability is that other maintainer level users can view a password of a faulty mirror that could have been set by another maintainer. The passwords are also now accessible to whomever has the necessary access to the GitLab server log files. The log files will most likely also be shipped to a central syslog server for analysis in most Enterprise environments, thus exposing the password there as well.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!