Add attacker Epic as parent Epic to any Project issue on Gitlab.com with add existing child issues on Epic Feature [ Cross Org. IDOR ]
HackerOne report #2260466 by indoappsec
on 2023-11-22, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary :
On Gitlab.com groups you can add Epics. Recently New feature in the Epic has been added where you can add existing issue as Child issue. Normally Only reporter role users are supposed to Add Parent Epic to Issues. You can check it in below documentation.
https://docs.gitlab.com/ee/user/group/epics/manage_epics.html
https://docs.gitlab.com/ee/user/permissions.html
In my Testing i found that Group Epic feature (Adding Existing project issue as a child issue) HTTP Request is vulnerable to IDOR attack. It leads to add Attacker Epic as a parent into any public issue on Gitlab.com. Also It will update the already existing Epic to attacker epic .
Vulnerable HTTP Request :
POST /groups/VG-Admin-group-Latest/-/epics/7/issues HTTP/2
Host: gitlab.com
Cookie: cookies
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/groups/VG-Admin-group-Latest/-/epics/7
Content-Length: 88
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"issuable_references":["https://gitlab.com/vk-test-group1/public-project/-/issues/9"]}
Vulnerable Parameter :
issuable_references
Steps to reproduce :
You will need 2 accounts to reproduce the issue.
1.Login from Victim account on Gitlab.com .
2.Now create a new group.(Ex: victim group )
3.Now in the group create a new Epic . (Ex : victim epic )
4.Create a new public project (Victim project) and create a issue in that project.(Victim issue ).Copy the issue link URL.
Ex :
https://gitlab.com/group_name/project_name/-/issues/1
5.Now add victim epic as parent epic to victim issue.
6.Now go to victim epic and you will see victim issue as a child issue.
7.Now Login from attacker account.
8.Create a new group(attacker group ) and create a new epic .(attacker epic).
9.In the epic you will see option of Child issues and epics -- > Add Existing issue.
10.Now copy the victim issue link and paste it.
11.Add it to the epic .
12.Now Attacker Epic will be added into victim issue as parent epic.
13.It will also remove the victim issue from victim epic which is also not allowed.
Video POC :
I am attaching a Video POC to reproduce the issue.
What is the current bug behavior?
Currently All gitlab.com project issues are vulnerable . Any Attacker can
What is the expected correct behavior?
Only Reporter role users in the project should be able to Set parent Epic.
Output of checks :
This bug happens on GitLab.com
Impact
Add attacker Epic as parent Epic to any Project issue on Gitlab.com with add existing child issues on Epic Feature [ Cross Org. IDOR ]
1.It's possible to set parent Epic for Any issue on Gitlab.com
2.It's possible to update already existing epic for any issue on Gitlab.com
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: