Odd /search.old and /search.bak urls on my gitlab instance

Hey everyone ! how’s it going ? Happy new year :slight_smile:

I’m currently dealing with a couple of vulnerabilities that I have to fix on my selfhosted instance, and one of those vulnerabilities are that I’m able to reach this two specific URLs, but they don’t do anything at all.

Basically domain.com/search.old and domain.com/search.bak are accessible while being logged in or not. I tried searching online but came up with nothing. Anyone have an idea ?

If you go to Admin Area → Settings → General → Visibility and access controls and then under “Restricted visibility levels” make sure the Public option is selected, and private/internal deselected, then no projects, users, or search will be possible without being logged in.

If you’ve already done this, then the fact the page loads, but doesn’t allow you to find anything, means there is nothing wrong, and no vulnerability whatsoever. I would be more worried about it, if the search worked.

1 Like

You are absolutely correct on this one. It is current selected as public.

Learning new things every day, thank you so much for this information iwalker !

1 Like