Skip to content

make issue comment unreadable by using ![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd%00)

HackerOne report #860559 by tiradorngpilipinas on 2020-04-27, assigned to @jeremymatos:

Summary

Hi gitlab team. I find out that when creating an issue and then commenting an %00 . The attacker can make the commend issue unusable just by one comment. The attacker need only 1 comment and comment in the issue will not read anymore

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

  1. go to gitlab.com and create an project
  2. in project create an issue
  3. comment 5 comments for content of comments
  4. input attacker comment a
  5. Now all 5 comments will not readable and it will say Something went wrong while fetching comments. Please try again.

Impact

making comment not readable and unusable just by using %00

Attachments

Warning: Attachments received through HackerOne, please exercise caution!