The co-founder of HackerOne, Jobert Abma, has reported a critical GitLab vulnerability that allowed remote code execution on application servers.
Abma says the vulnerability allowed anyone who could create projects to pop the servers hosting GitLab if administrators enabled importation of previously-exported GitLab files.
Attackers can steal administrator authentication tokens by creating projects and adding GitLab administrators.
Tokens are created for every user in a project and can be captured by creating and emailing off an export, Abma says.
Abma posted the entire vulnerability detail and discovery process on the GitLab HackerOne portal.
The bugs were sufficient for GitLab to release an early warning to admins to ready for the then looming "major security update".
GitLab urged admins to apply the patch with the following missive:
This (import/export project) feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account.
This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users.
Abma did not gain a cash reward for the GitLab vulnerability reports submitted through HackerOne nor for the cross-site scripting, leaks, and privilege escalation flaws he previously reported within the service.
He did score US$1000 of HackerOne cash for bug reports affecting analytics company Bime, and a large but undisclosed amount for spotting a Yahoo! bug. ®