[HN Gopher] Gitlab servers are being exploited in DDoS attacks ___________________________________________________________________ Gitlab servers are being exploited in DDoS attacks Author : intunderflow Score : 56 points Date : 2021-11-04 21:24 UTC (1 hours ago) (HTM) web link (therecord.media) (TXT) w3m dump (therecord.media) | Eduard wrote: | As the exploit requires uploading a file, is it required for the | attacker to first have a user account with file upload | permissions? | nielsole wrote: | Anyone who can open issues in a repo I think | magicalhippo wrote: | From the issue report[1] comments: | | > Thanks in no small part to your recent findings, [GitLab] are | rolling back our policy about paying half-bounties for third | party findings. These have great impact on GitLab and we want to | continue to incentivize research for high+ severity issues in | that area. | | At least they're taking these things a bit more seriously now. | | [1]: https://hackerone.com/reports/1154542 | buildbuildbuild wrote: | This happened to all Gitlab instances that I manage around 2 days | ago. Good to see publicity, I'm still dealing with not-so- | understanding abuse departments at my hosting providers. | | Sure, my fault for not keeping it up to date. But there is much | noise to filter through in the many tools we juggle these days, | especially if an organization prefers to self-host. | SV_BubbleTime wrote: | Article said GitLab patched back in April. Safe to say you | didn't deploy these patches? | | No judgment. I'm paid to make things, not apply patches. This | is however why I don't use self-hosted, pros and cons, etc. | codegeek wrote: | "..Bowling said he discovered a way to abuse how ExifTool handles | uploads for DjVu file format used for scanned documents to gain | control over the entire underlying GitLab web server" | | Ah, the good old "File upload vulnerability". File uploads remain | one of the hardest problems to solve when it comes to security. | tata71 wrote: | Is that because people use hackjob dependencies to handle it | more often than not? | djbusby wrote: | ExifTool is hackjob? I think not. | | But also, file uploads should be handled in a jail or box of | some type - and never let their analysis make network calls. | seph-reed wrote: | > File uploads remain one of the hardest problems to solve when | it comes to security. | | Why? It seems like they should have read/write but no execute. | What goes wrong? | [deleted] ___________________________________________________________________ (page generated 2021-11-04 23:00 UTC)