GitLab: information disclosure of secret_key_base via encoding charcters

2018-12-11T17:52:43
ID H1:460545
Type hackerone
Reporter paresh_parmar
Modified 2019-06-13T23:02:54

Description

@paresh_parmar discovered an error page that was disclosing the value of the secret_key_base key of customers.gitlab.com to unauthenticated users, which would have allowed an attacker to arbitrarily decrypt signed cookies.

So i was fuzzing one parameter with different type of encodings. And one character threw error page .that page has secret token (rails)of application.

you can get RCE using secret key base token. BUT in this case serialization was json action_dispatch.cookies_serializer"=>:json so RCE was not possible that time. still you can do lots of stuff with secret_key_base of application, depends on the application logic.

Similar issue by @bugdiscloseguys At : https://blog.harshjaiswal.com/rce-due-to-showexceptions