Skip to content

Unrestricted file upload leads to Stored XSS

HackerOne report #880099 by semsem123 on 2020-05-21, assigned to @vdesousa:

Summary

i found that i can upload png file with JavaScript code and execute it in wiki page.

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

1-login to gitlab account
2-open your project
3-open Wiki page.
4-Click "New page" button.
5-attach png file which contain below code
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg>
6-Click "Create page" button.
7-Click on green triangle
8-if The alert dialog not appears from first time just click on it one more time

Impact

If wiki pages created by using this vulnerability are visible to everyone (Wiki Visibility setting is set to "Everyone With Access") in "Public" project, there is a possibility that a considerable number of GitLab users and visitors click a malicious link.

Examples

gitlab.com

tested on Google Chrome

https://gitlab.com/semsemhacker123/semsemtest/-/wikis/ssaa-home
https://gitlab.com/semsemhacker123/semsemtest/-/wikis/uploads/1308853a75502f77b3e22a2f9b0cc88a/1111111.png

What is the current bug behavior?

The alert dialog appears after clicking "green triangle " in created page.

What is the expected correct behavior?

the png file it must be not executed as image/svg+xml

Impact

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page

Attachments

Warning: Attachments received through HackerOne, please exercise caution!