Users with the `Guest` role can change `Custom dashboard projects` settings for projects in the victim group
HackerOne report #2316435 by them4les_l1r
on 2024-01-15, assigned to @kmorrison1:
Report | Attachments | How To Reproduce
Report
Summary:
Based on this documentation. Users with Guest
cannot change group and project settings.
I found a bug where users with the Guest
role can change the Analytics Dashboards
settings for groups and projects.
Step to Reproduce:
[victim]
- To reproduce this bug, you need to create a gitlab account with the
Ultimate Saas Plan Trial
feature - Go to https://gitlab.com and select
Get Free Trial
- Complete registration and at the end of the form you are asked to create a group and project.
- Invite the attacker as a guest in your project.
- Go to
your group
-> selectyour project
-> in the sidebar selectSettings -> Analytics
-> expand. You will notice thatCustom dashboard projects
is not yet setup. - The attacker will set these features.
[Attacker]
- Open https://gitlab.com and log in to the attacker's account
- Go to the victim's group -> then select victim project
- Add
/-/settings/analytics
to the end of the url and enter - You will be directed to the
Custom dashboard projects
page.
- Select the victim project in the combobox and select
save changes
. The attacker succeeded in changing theCustom dashboard projects
setting on the victim project
Affected endpoints:
POST /group-name/project-name/-/settings/analytics HTTP/2
Host: gitlab.com
_method=patch&authenticity_token={TOKEN}&project%5Banalytics_dashboards_pointer_attributes%5D%5Bid%5D=XXXXXX&project%5Banalytics_dashboards_pointer_attributes%5D%5Btarget_project_id%5D={PROJECT ID}
POC VIDEO:
Attacker_as_guest_can_set_Custom_Analytics_Dashboard.mp4
Impact
Users with the Guest
role who do not have access to group and project settings can change Custom dashboard projects
settings for projects in the victim group
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: