Promoting a milestone is missing an authorization check (#51301) · Issues · GitLab.org / GitLab FOSS

Promoting a milestone is missing an authorization check

We received a report from an external security research that the functionality for promoting a milestone is missing an authorization check. The report can be found at https://hackerone.com/reports/406390. In summary, a project member in the guest role can promote a project milestone to a group milestone.

I could reproduce the reported behavior and believe it is a bug.

Please find the full report below.

Title:         Guest role user can promote open milestones in project 
Scope:         *.gitlab.com
Weakness:      Privilege Escalation
Severity:      No Rating
Link:          https://hackerone.com/reports/406390
Date:          2018-09-06 08:50:02 +0000
By:            @sandeep_hodkasia

Details:

NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

Summary: Guest role user can promote open milestones in project.

Description: Guest role user were not allowed to either edit, create or delete milestone in project. But privilege escalation on the vulnerable request allows guest role user to promote open milestone in project. And once the milestone is promoted it will available for all the projects inside the group and this process can't be reversed.

##Vulnerable request:

POST /sandeep01/test/milestones/4/promote HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/sandeep01/test/milestones/4
X-CSRF-Token: xxxx
X-Requested-With: XMLHttpRequest
Cookie: xxxxx
Connection: close
Content-Length: 28

{"params":{"format":"json"}}

Steps To Reproduce:

add new project in group.
Add guest member in project.
create new milestone in project.
Replay vulnerable request in burp suite using new guest role user session.
Change group name (sandeep01), project name (test) and milestone number (4) in the vulnerable with your account data.
HIT API
Milestone will be promoted.

Impact

Guest role user can promote open milestones in project

We received a report from an external security research that the functionality for [promoting a milestone](https://docs.gitlab.com/ee/user/project/milestones/#promoting-project-milestones-to-group-milestones) is missing an authorization check. The report can be found at https://hackerone.com/reports/406390. In summary, a project member in the guest role can promote a project milestone to a group milestone.

I could reproduce the reported behavior and believe it is a bug.

Please find the full report below.

---

```
Title:         Guest role user can promote open milestones in project 
Scope:         *.gitlab.com
Weakness:      Privilege Escalation
Severity:      No Rating
Link:          https://hackerone.com/reports/406390
Date:          2018-09-06 08:50:02 +0000
By:            @sandeep_hodkasia
```

Details:
> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

**Summary:** 
Guest role user can promote open milestones in project.

**Description:** 
Guest role user were not allowed to either edit, create or delete milestone in project.
But privilege escalation on the vulnerable request allows guest role user to promote open milestone in project. And once the  milestone is promoted it will available for all the projects inside the group and this process can't be reversed.

##Vulnerable request:
```
POST /sandeep01/test/milestones/4/promote HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/sandeep01/test/milestones/4
X-CSRF-Token: xxxx
X-Requested-With: XMLHttpRequest
Cookie: xxxxx
Connection: close
Content-Length: 28

{"params":{"format":"json"}}
```

## Steps To Reproduce:

1. add new project in group.
2. Add guest member in project.
3. create new milestone in project.
4. Replay vulnerable request in burp suite using new guest role user session.
5. Change group name (sandeep01), project name (test) and milestone number (4) in the vulnerable with your account data.
6. HIT API
7. Milestone will be promoted.

## Impact

Guest role user can promote open milestones in project

Edited Sep 10, 2018 by Douwe Maan

Discussion
Designs

Promoting a milestone is missing an authorization check

Steps To Reproduce:

Impact

Related issues