[HN Gopher] Gitlab servers are being exploited in DDoS attacks
       ___________________________________________________________________
        
       Gitlab servers are being exploited in DDoS attacks
        
       Author : intunderflow
       Score  : 56 points
       Date   : 2021-11-04 21:24 UTC (1 hours ago)
        
 (HTM) web link (therecord.media)
 (TXT) w3m dump (therecord.media)
        
       | Eduard wrote:
       | As the exploit requires uploading a file, is it required for the
       | attacker to first have a user account with file upload
       | permissions?
        
         | nielsole wrote:
         | Anyone who can open issues in a repo I think
        
       | magicalhippo wrote:
       | From the issue report[1] comments:
       | 
       | > Thanks in no small part to your recent findings, [GitLab] are
       | rolling back our policy about paying half-bounties for third
       | party findings. These have great impact on GitLab and we want to
       | continue to incentivize research for high+ severity issues in
       | that area.
       | 
       | At least they're taking these things a bit more seriously now.
       | 
       | [1]: https://hackerone.com/reports/1154542
        
       | buildbuildbuild wrote:
       | This happened to all Gitlab instances that I manage around 2 days
       | ago. Good to see publicity, I'm still dealing with not-so-
       | understanding abuse departments at my hosting providers.
       | 
       | Sure, my fault for not keeping it up to date. But there is much
       | noise to filter through in the many tools we juggle these days,
       | especially if an organization prefers to self-host.
        
         | SV_BubbleTime wrote:
         | Article said GitLab patched back in April. Safe to say you
         | didn't deploy these patches?
         | 
         | No judgment. I'm paid to make things, not apply patches. This
         | is however why I don't use self-hosted, pros and cons, etc.
        
       | codegeek wrote:
       | "..Bowling said he discovered a way to abuse how ExifTool handles
       | uploads for DjVu file format used for scanned documents to gain
       | control over the entire underlying GitLab web server"
       | 
       | Ah, the good old "File upload vulnerability". File uploads remain
       | one of the hardest problems to solve when it comes to security.
        
         | tata71 wrote:
         | Is that because people use hackjob dependencies to handle it
         | more often than not?
        
           | djbusby wrote:
           | ExifTool is hackjob? I think not.
           | 
           | But also, file uploads should be handled in a jail or box of
           | some type - and never let their analysis make network calls.
        
         | seph-reed wrote:
         | > File uploads remain one of the hardest problems to solve when
         | it comes to security.
         | 
         | Why? It seems like they should have read/write but no execute.
         | What goes wrong?
        
       | [deleted]
        
       ___________________________________________________________________
       (page generated 2021-11-04 23:00 UTC)