HTML injection in Wiki templates allows attacker to leak autofill passwords
HackerOne report #2430261 by joaxcar
on 2024-03-21, assigned to @cmaxim:
Report
Summary
GitLab 16.10 shipped with Wiki Templates. Users can create wiki templates in a project that other users can select when creating a wiki page. https://docs.gitlab.com/ee/user/project/wiki/index.html#wiki-page-templates
The dropdown that lists the templates in the wiki creation page does not escape the template names. The names are sanitized, so there is not a lot an attacker can do, but I noticed that I can add an input tag looking like this <input type=password name=wiki[title]>
. This will render in the template dropdown (even if the dropdown is not expanded, and it will get auto-filled by Chrome if the user is using Chrome password manager.
When the victim fills out the form as usual and submits it, the password field will overwrite the title of the wiki page and create the wiki with the user's password in plain text. This will be stored in the wiki git log, so removing it is not trivial, and the attacker can exfiltrate it.
Steps to reproduce
- Create a project where two users are members (minimum developers)
- As the attacker go to https://gitlab.com/GROUP/PROJECT/-/wikis/templates and create a new template. Name it
<input type=password name=wiki[title]>
-
Click create
-
As the victim go to chrome://password-manager/passwords in chrome and make sure you add credentials for
gitlab.com
-
Now go to https://gitlab.com/GROUP/PROJECT/-/wikis and click "new page"
-
Fill out the form, don't open the templates dropdown
-
Click create
-
Your password should now be the title of the created wiki page
Impact
Leaking user passwords, leading to account takeover
What is the current bug behavior?
Template names are not sanitized
What is the expected correct behavior?
Template names should be sanitized
Output of checks
This bug happens on GitLab.com
Impact
Leaking user passwords, leading to account takeover
How To Reproduce
Please add reproducibility information to this section: