Skip to content

Gitlab Open Redirect Vulnerability

HackerOne report #1711497 by burpheart on 2022-09-25, assigned to @dcouture:

Report | How To Reproduce

Report

Summary

An open redirection vulnerability in gltab oauth.

Steps to reproduce
  1. visit https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/
    (No browser rendering required. Requests can be initiated invisibly using html img tags.)
  2. visit https://gitlab.com/login/oauth/callback and Redirected to https://hackerone.com/?code

Or something like this for one click. The link could be a redirection.

<img src=" https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/121233">
<a href="https://gitlab.com/login/oauth/callback">click here</a>
Impact

By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

Examples
  1. visit https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/
  2. visit https://gitlab.com/login/oauth/callback and Redirected to https://hackerone.com/?code
What is the current bug behavior?

Visit oauth callback Redirected to https://hackerone.com/?code

What is the expected correct behavior?

Callback URLs that pass the check are redirected.

Relevant logs and/or screenshots
Output of checks

This bug happens on GitLab 15.4.0-ee and GitLab.com

Results of GitLab environment info

System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown

GitLab information
Version: 15.4.0-ee
Revision: abbda555
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version: 14.10.0
Repository storage paths:

  • default: /var/opt/gitlab/git-data/repositories
    GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell

Impact

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

How To Reproduce

Please add reproducibility information to this section:

Edited by Dominic Couture