Blind SSRF in Prometheus Integration
HackerOne report #462325 by ngalog on 2018-12-14:
Summary: in https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ It states that Prometheus is vulnerable to SSRF, and I checked and it was following 302 redirect when fetching the API endpoint, now it wouldn't follow redirect, meaning not vulnerable anymore.
However there is still one thing that integration forgot to check, toctou issue.
Steps To Reproduce:
- Visit https://{gitlab_instance}/:project_namespace/services/prometheus/edit
- enter a domain that points to external IP address
- After it got accepted
- Go to your DNS name provider and change the domain to point to an internal IP address
- Blind SSRF again
Impact
Blind SSRF in Prometheus Integration
Security issue
Edited by Reuben Pereira