Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #376046
Closed
Open
Issue created Sep 30, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

Gitlab Open Redirect Vulnerability

HackerOne report #1711497 by burpheart on 2022-09-25, assigned to @dcouture:

Report | How To Reproduce

Report

Summary

An open redirection vulnerability in gltab oauth.

Steps to reproduce
  1. visit https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/
    (No browser rendering required. Requests can be initiated invisibly using html img tags.)
  2. visit https://gitlab.com/login/oauth/callback and Redirected to https://hackerone.com/?code

Or something like this for one click. The link could be a redirection.

<img src=" https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/121233">
<a href="https://gitlab.com/login/oauth/callback">click here</a>
Impact

By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

Examples
  1. visit https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/
  2. visit https://gitlab.com/login/oauth/callback and Redirected to https://hackerone.com/?code
What is the current bug behavior?

Visit oauth callback Redirected to https://hackerone.com/?code

What is the expected correct behavior?

Callback URLs that pass the check are redirected.

Relevant logs and/or screenshots
Output of checks

This bug happens on GitLab 15.4.0-ee and GitLab.com

Results of GitLab environment info

System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown

GitLab information
Version: 15.4.0-ee
Revision: abbda555
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version: 14.10.0
Repository storage paths:

  • default: /var/opt/gitlab/git-data/repositories
    GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell

Impact

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

How To Reproduce

Please add reproducibility information to this section:

Edited Oct 06, 2022 by Dominic Couture
Assignee
Assign to
Time tracking