Hyperlink injection in full name field of user profile
HackerOne report #1090634 by andor404
on 2021-01-30, assigned to @ankelly:
Report
Summary
Hello GitLab Team,
I found a payload for the "Full name" field of the user profile page which leads to hyperlink injection in the breadcrumb navigation of the user's projects.
Steps to reproduce
- In the user profile page change the username of the "Full name" field to: New Username
- If there isn't already a project under the user's namespace, create a new one.
- Browse to any project of the user.
- The user's namespace text in the breadcrumb navigation has now changed to "New Username". If clicked, it will open http://example.com/ and not the user's profile page.
Impact
An attacker could create a malicious clone of the GitLab login page which hijacks account credentials. If a user clicks the malicious link and tries to login to the attacker's fake site, their credentials could be captured by the attacker.
Examples
[REDACTED]
What is the current bug behavior?
The namespace text of the breadcrumb navigation will be overwritten with a clickable link to an external website.
What is the expected correct behavior?
It should not be possible to change the breadcrumb navigation hyperlink and point it to an external website.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
System information
System: Kali 2020.3
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version: 5.0.9
Git Version: 2.29.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.8.1-ee
Revision: e10a21e6
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.4
URL: http://gitlab.local
HTTP Clone URL: http://gitlab.local/some-group/some-project.git
SSH Clone URL: git@gitlab.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.15.0
Repository storage paths:
default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
An attacker could create a phishing site which looks like a valid GitLab login page to steal valid credentials of other GitLab users.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
[REDACTED]