? Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on twitter: https://bbre.dev/tw

This video is about a vulnerability in GitLab that allowed reading any files from the server. The reporter, William Bowling, was rewarded $29,000 of bug bounty.

? Get $100 in credits for Digital Ocean: https://bbre.dev/do

Report: https://hackerone.com/reports/1439593
Reporter’s Twitter: https://twitter.com/wcbowling


00:00 Intro
00:34 Importing GitLab groups
02:00 Symlinks
04:30 POC – reading arbitrary files on GitLab

Add comment

Your email address will not be published. Required fields are marked *