Skip to content

A profile page of a user can be denied from loading by appending .html to the username

HackerOne report #475098 by maruthi12 on 2019-01-05, assigned to dappelt:

Summary: I was able to create a user with the username "dashboard.html". Once, the account is set up, when the user clicks on his profile, the actual dashboard will show up instead of his profile page. Same can be done for all the HTML pages in GitLab.

Steps To Reproduce:

  1. Register a new user with "some_html_page_in_gitlab.html"
  2. After logging in. click on the profile tab, it will be redirected to the dashboard page.
  3. I even tried the username "profile.html", it is getting directed to the profile tab.

Impact

The major impact here I can think of is that a user can hide his profile from the public just by having a clowny username.