Removing another user's admin access by an attacker.

HackerOne report #637674 by giddsec on 2019-07-08, assigned to estrike:

Summary

An attacker can remove other GitLab users' administrative privilege.

Steps to reproduce

You need (2) test accounts.

• victim@email.com (GitLab user)
• attacker@email.com (Github user)

Go to: https://gitter.im/home/explore#createcommunity

1. Victim needs to create a community.
2. Invite a user(attacker) or join community.
3. Victim grants admin access to the other user(attacker)
4. Attacker Go to Settings and click Only GitHub users are allowed to join this room. then Submit
5. GitLab administrator(victim) will lost admin access.

Remediation:

As an administrator of the community it must still have an admin access to the settings/permission even though it was changed recently by other admin(attacker), because the user(victim) is still an administrator.

Impact

Things like this on a program can be manipulated by an attacker, by removing admin access by other user, because once this GitLab user lost his admin access to the room, he/she will not able to change the settings back.

Relevant code

• https://gitlab.com/gitlab-org/gitter/webapp/blob/73de2c44618d6e5db1a3d21b8e0859ef33da1ccc/modules/permissions/lib/policies/create-base-policy.js