Stored XSS in 'Move Issue' using project namespace (attacker's name at point of creation)
Link: https://hackerone.com/reports/303388 By: @fransrosen
When a user creates a new project, the project gets the user's current name as namespace-prefix of the project. What was interesting is that even though the user changes its name, the old namespace is still saved on the repo, these are two repos for the same user:
Now, this is not relevant to the issue, but actually makes the exploitation easier, since you don't need to keep the payload in your name for it to trigger, you can just change it back to a legit name afterwards, since it's the namespace causing the issue.
The issue seems to be in the project selector inside the issue-view when selecting Move issue
:
The issue here seems to be a complete lack of sanitization at all of the name_with_namespace
-value, since nothing needs to be using HTML-entities or anything, just using a simple XSS-poc payload like this:
<img src=x onerror=alert(document.domain)>
The code which is causing this is here: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js#L44
renderRow: project => `
<li>
<a href="#" class="js-move-issue-dropdown-item">
${project.name_with_namespace}
</a>
</li>
`,
As you see, no escape happens here at all.
PoC
- Go to
/profile
and change your name to:
<img src=x onerror=alert(document.domain)>
-
Save, and create a new project, name it
test
. -
Now, go back to
/profile
and set your name to something else, in my case I setfrans
. -
Create a new project,
poc
-
Create a new issue in the new project. Go to the issue page and click
Move issue
. The javascript from the first project's namespace should trigger the javascript.
PoC-movie: GitlabXSS2
(PS. Don't be scared of the amount of XSS-reports I send in, you're doing great and it's not that easy to find these at all, I've been doing this for some time so I know where to look)
Regards, Frans
Impact
The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. You could easily build a PoC that would modify the email address of the current user stealing their CSRF-token as soon as the script triggers, or stealing information about private repositories.