✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on twitter: https://bbre.dev/tw
This video is about a vulnerability in GitLab that allowed reading any files from the server. The reporter, William Bowling, was rewarded $29,000 of bug bounty.
? Get $100 in credits for Digital Ocean: https://bbre.dev/do
Report: https://hackerone.com/reports/1439593
Reporter’s Twitter: https://twitter.com/wcbowling
Timestamps:
00:00 Intro
00:34 Importing GitLab groups
02:00 Symlinks
04:30 POC – reading arbitrary files on GitLab
Add comment