CVE-2023-3922 - Overview & Exploit of a GitLab UI Link Hijacking Vulnerability

Summary:
CVE-2023-3922 is a recent security issue discovered in GitLab, the popular code repository and CI/CD platform. This vulnerability affects multiple GitLab versions and allows attackers to hijack certain links and buttons in the GitLab User Interface (UI), redirecting users to malicious pages. This post explains the vulnerability in simple terms, provides an exploit example, and shares relevant resources.

What Is CVE-2023-3922?

CVE-2023-3922 is a CWE-601: Open Redirect vulnerability affecting GitLab’s UI. It is possible for attackers to manipulate some UI elements (like links and buttons) so that when clicked, they take you to an attacker's chosen website instead of a safe or expected location.

Malware: Sending users to sites that exploit browser bugs or try to install malicious software.

- Session Hijacking: Capturing session tokens if the user is tricked into submitting sensitive data.

How Does the Attack Work?

1. The attacker sends a crafted link or button (possibly through a merge request, comment, or other collaborative features).
2. The crafted link uses a vulnerable UI feature in GitLab to redirect to an external, attacker-controlled website.
3. When a victim clicks the link from within the GitLab interface, they may not realize they are leaving the trusted platform.

Example Attack Scenario

Suppose there's a button in a merge request that links to project documentation. The attacker crafts the URL so that when the button is rendered, it actually sends users to https://evil.example.com.

Imagine the GitLab web UI had a link construction code like this

<!-- Insecure example from the UI template -->
<a href="<%= params[:next] %>">Go to next page</a>

If params[:next] is not properly sanitized, a malicious user could submit

/merge_requests/new?next=https://evil.example.com

Clicking the "Go to next page" button would take the user out of GitLab, to a fraudulent domain.

Step 1: Attacker submits the following as part of a GitLab issue

Check this out: https://evil.example.com" rel="nofollow">Malicious Link

Step 2: Victim (an admin or developer) clicks the link in GitLab UI.

Step 3: The server sends the victim to https://evil.example.com instead of a GitLab page.

Be Careful With Links:

If you are on an older version, be skeptical of unusual links or buttons, especially those pointing to unfamiliar domains.

Monitor Logs:

Review GitLab logs for suspicious redirections or patterns involving the next or similar query parameters in URLs.

Original References

- Official GitLab Advisory: https://about.gitlab.com/releases/2023/10/10/security-release-gitlab-16-4-1-released/
- CVE Profile: https://nvd.nist.gov/vuln/detail/CVE-2023-3922

Exclusive: How to Stay Safe

GitLab admins should patch immediately. Users should avoid clicking unknown or suspicious links, even inside trusted platforms like GitLab, especially if the server is out of date.

If you want to see whether your GitLab is affected, you can test by creating a link within GitLab that redirects outside your domain. If it works, you’re still vulnerable.

If you are developing for GitLab or a similar platform, make sure to check all URLs

# Before redirecting, ensure the URL is internal
def safe_redirect(url)
  uri = URI.parse(url)
  if uri.host.nil? && !url.start_with?('//')
    redirect_to url
  else
    redirect_to '/'
  end
end

Only allow redirects to internal pages unless there's a robust allowlist.


Stay updated, stay secure!
Got questions or want to share your experience? Let us know in the comments.


*This post is brought to you exclusively; always credit original advisories for critical details.*

Timeline

Published on: 09/29/2023 08:15:09 UTC
Last modified on: 10/03/2023 19:46:15 UTC