Liberapay: Publicly editable GitHub wikis

2018-12-10T22:08:57
ID H1:460121
Type hackerone
Reporter strukt
Modified 2018-12-12T18:37:04

Description

Hello team,

While browsing https://github.com/liberapay I found that many of the repositories have their wikis publicly editable by any GitHub user. The following are some of the affected repositories: https://github.com/liberapay/cardregistration-js-kit/wiki https://github.com/liberapay/mangopay2-python-sdk/wiki

I went on and created the following wiki page as a PoC: https://github.com/liberapay/cardregistration-js-kit/wiki/PoC

Impact

This enables an attacker to edit the wiki pages of the affected repositories completely remotely, adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead your users.