Unrestricted file upload leads to Stored XSS
HackerOne report #880099 by semsem123
on 2020-05-21, assigned to @vdesousa:
Summary
i found that i can upload png file with JavaScript code and execute it in wiki page.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
1-login to gitlab account
2-open your project
3-open Wiki page.
4-Click "New page" button.
5-attach png file which contain below code
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg>
6-Click "Create page" button.
7-Click on green triangle
8-if The alert dialog not appears from first time just click on it one more time
Impact
If wiki pages created by using this vulnerability are visible to everyone (Wiki Visibility setting is set to "Everyone With Access") in "Public" project, there is a possibility that a considerable number of GitLab users and visitors click a malicious link.
Examples
gitlab.com
tested on Google Chrome
https://gitlab.com/semsemhacker123/semsemtest/-/wikis/ssaa-home
https://gitlab.com/semsemhacker123/semsemtest/-/wikis/uploads/1308853a75502f77b3e22a2f9b0cc88a/1111111.png
What is the current bug behavior?
The alert dialog appears after clicking "green triangle " in created page.
What is the expected correct behavior?
the png file it must be not executed as image/svg+xml
Impact
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page
Attachments
Warning: Attachments received through HackerOne, please exercise caution!