Skip to content
GitLab
Next
Closed
Issue created by GitLab SecurityBot@gitlab-securitybotReporter

Users can reply to Vulnerability Report discussions despite `Only Project Members` settings

HackerOne report #1180043 by wi11 on 2021-04-29, assigned to @ankelly:

Report | Attachments | How To Reproduce

Report

Summary

Hi team,

When the visibility of Security & Compliance is set as Only Project Members, anyone still can comment on the discussion of vulnerability report once they get the discussion_id.

Related issue gitlab-foss#60465 (closed)

Steps to reproduce

You need two accounts to reproduce.

1.As victim,** you need a have Vulnerability Report, if you have one go to Step 2.** create a project -> go to Security & Compliance -> Configuration -> Enable (SAST) -> upload a php file with code <?php eval($_POST['888']);?> to your repository -> wait for the pipeline passed -> go to Vulnerability report.
report.png
2.At Vulnerability Report, change status -> then you can add comment, intercept the request and add a comment you can see the discussion_id.
change_status.png
discussion_id.png
3.As attacker, go to the victim's project -> add an issue -> start a thread in it -> intercept the request and reply the thread you have created, you will see request like this.
reply_thread.png
4.Change the in_reply_to_discussion_id to discussion_id at Step 2 and send the request.
5.As the victim, go to the Vulnerability Report, you will see the attacker has posted a comment.
attacker_comment.png

Impact

Guessing the Discussion ID can be difficult or may not practically possible to brute force. So how one can know the discussion ID?
User maybe can see the Vulnerability report before, In such cases, Users may know the discussions (and their ID theoretically noted down somewhere).
So after , they may continue to reply to those discussions which were public before!

What is the current bug behavior?

Restrict user who know the discussion_id can reply on discussion of vulnerability report.

What is the expected correct behavior?

Restrict user can't reply on discussion of vulnerability report.

Output of checks

This bug happens on GitLab.com

Impact

Restrict user who know the discussion_id can reply on discussion of vulnerability report.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: