Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #25201
Closed
Open
Issue created Nov 13, 2018 by GitLab SecurityBot@gitlab-securitybotReporter

Omniauth `google_auth2/omniauth_error` endpoint renders arbitrary error message

HackerOne report #438746 by h33t on 2018-11-10:

Hi,

While testing gitlab i have come across a bug where it seemed like users can get manipulated or malicious message could be spread by that vulnerable URL.

Content spoofing is a type of exploit used by a malicious hackers to present a faked or modified Web site to the user as if it were legitimate. The intent is, typically, to defraud victims although sometimes the purpose is simply to misrepresent an organization or an individual.

URL: https://gitlab.com/users/auth/google_oauth2/omniauth_error?error=Please+Go+To+Evil.com+This+Site+Is+Broken

#Reproduction Steps

  • Access the URL

  • In the error parameter put your message.

Impact

One thing i have thought of this attack is that attackers might try to publish such url in google using seo so then you dont need to send it to a specific user to show the message. If they can publish it on search engines easily a lot of users will get the malicious message of the attacker.


From the Security Department:

Fixed error messages should be displayed for valid error codes from the OAuth specification, any invalid error code should render a "Invalid error code received" or other generic error message.

Edited Aug 12, 2020 by Drew Blessing
Assignee
Assign to
Time tracking