GitLab's Service Desk allows spoofing issue creator via reply-to email header
HackerOne report #1433607 by rijalrojan
on 2021-12-22:
Report | Attachments | How To Reproduce
Report
Summary
Service Desk
is a feature that is enabled by default in Gitlab cloud and is optional in on-premise instances. When enabled, this allows users to report issues to maintainers by sending an email. The receiver email format is as follows: contact-project+USERNAME-PROJECTNAME-PROJECTID-issue-[@]incoming.gitlab.com
. This takes in the email and creates a ticket on it's behalf. Created tickets are accessible by maintainers only.
The system that ingests the email and creates a ticket, respects Reply-To
header more than the actual From
header when it receives the email. For example, in Gmail/Gsuite you can setup your own reply-to
Now when I send email to my test instance, this is what it looks like:
You can use this to create tickets in behalf of maintainers and others. Service desk by default allows creating ticket for private repository as well so this is not defaulted to only public repos
Steps to reproduce
- Change your
Reply-To
in Gmail/GSuite to reflect your victim's email. - Send an email to a service desk email and notice your
Reply-To
is used as the sender.
Impact
The easiest and direct impact to this is being able to spoof and create tickets as maintainers.
Impact
The easiest and direct impact to this is being able to spoof and create tickets as maintainers. I am investigating further in my own instance but it will take time to setup.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- Screen_Shot_2021-12-21_at_7.12.53_PM.png
- Screen_Shot_2021-12-21_at_7.14.34_PM.png
- Screen_Shot_2021-12-21_at_7.15.44_PM.png
How To Reproduce
Please add reproducibility information to this section: