GitLab's vulnerability in Stored XSS through PDF.js

 

Introduction

This vulnerability was identified as a Stored XSS issue, which means malicious code could be injected and stored within GitLab. When a user views a specific PDF file, the code could be executed, potentially compromising their account.

Detail Vulnerability Description:  

This vulnerability lies in how GitLab interacts with PDF files through a library called PDF.js. An attacker could exploit this flaw by:

• Uploading a Malicious PDF: The attacker uploads a PDF file to a GitLab repository. This PDF would contain specially crafted JavaScript code designed for XSS.

• Stored XSS: When another user views the PDF within GitLab (using the built-in PDF viewer powered by PDF.js), the malicious code embedded in the PDF gets executed. This is because GitLab doesn't properly sanitize the PDF content before displaying it.

How did this Attack happen:

Look at the image to better understand how this hacker steals user info using this attack method. Here I am describing a scenario of how hackers perform this attack and steal user data.

First, the hacker creates a special PDF file with XSS malicious code.  While the hacker successfully stores this malicious file inside the GitLab server, the hacker starts finding victims by using social engineering and offering lucrative prizes to view this PDF file. While users view this malicious PDF file they lose their session in Gitlab. The hacker grabs this session and can easily steal data from the user account using it. This thing happens because GitLab doesn't properly sanitize the PDF content before displaying it.

Potential Impact:  

The malicious code could then perform various actions depending on the attacker's intent. Here are some possibilities:

• Stealing User Data: The code could steal cookies or session tokens, allowing the attacker to hijack the user's GitLab session and access their data.

• Spreading Malware: The code could redirect the user to malicious websites that download malware onto their device.

• Defacing Content: The code could alter the content displayed on the user's screen, including potentially injecting misleading information.

Recommendations:

• GitLab users: Be cautious when opening PDFs from untrusted sources within GitLab. If unsure about a PDF's origin, download it and use a reputable PDF reader to view it outside of GitLab.

• GitLab administrators: Update GitLab to the latest patched version to address this vulnerability.

GitLab's patch release info: Here