DoS in the Issue and Commit comments pages
HackerOne report #690235 by dfens
on 2019-09-07, assigned to akelly
:
Summary
An attacker can cause a DoS(500 HTTP code) in the Issue and Commit comments pages, via inserting a character higher than 0x65533 inside a Markdown link.
Steps to reproduce
In this example we are going to describe the steps to reproduce the DoS in the Issue page, but it should be trivial to attack other pages with the same technique.
Environment
From the Victim account:
- Create a Project where an attacker account have permissions to post a comment in the Issue pages.
- Open an Issue.
- Comment something in the opened Issue.
Attack
From the attacker account:
- Write a comment in the opened issue containing the provided exploit.txt
- Reload page.
Impact
Any comment in that page cannot be loaded from any account, causing the impression of all being deleted.
This is because the GET request to discussions.json fails with the HTTP 500 code.
After the exploit, the issue page is in a state where nobody can read, write or erase any comment.
Other observations
It has been observed that this issue also affects the Activity page and the RSS feed of the attacker.
If the exploit is used in a Commit comment page, the comments and the diff of that commit cannot be seen
Impact
An attacker can compromise any public project making unreadable all the discussions in the Issue pages.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Related issues: