Open Redirection Through HTTP Response Splitting
HackerOne report #1842314 by akadrian
on 2023-01-20, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Endpoint responsible for downloading Packages from Gitlab Package Registry is vulnerable to HTTP Response splitting. By adding %0d%0a characters in URL its possible to cancel default redirection and set attacker value inside Location header. This way its possible to create open-redirection attack via HTTP Response Splitting.
Steps to reproduce
- Vulnerability was tested on Self-Hosted Gitlab Instance version 15.6.1:
- By using following URL user will be redirected to attacker website, in this case its http://example.com website:
http://gitlab.example.com/api/v4/projects/aaaa/packages/npm/%0d%0ahttp:/%2fexample.com?test
Impact
Users can be lured to malicious websites believing that its legitimate Gitlab Instance. This could lead to
What is the current bug behavior?
User is able to change Location header to his own value leading to open redirection.
What is the expected correct behavior?
When no %0d and %0a characters are provided in vulnerable endpoint, redirection occurs to https://registry.npmjs.org/ website. Characters %0d and %0a should be filtered so that they could not lead to changes in default Location header value.
Impact
User is able to change Location header to his own value leading to open redirection.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
- Have a public project ready.
curl -vvv "http://gdk.test:8000/api/v4/projects/<project_id>/packages/npm/%0d%0ahttp:/%2fexample.com?test"
- Check the
Location:
header, it points tohttp://example.com