Improper Handling of Values in utmsigep/member-directory

Reported on May 15th 2021

✍️ Description

Entering unintended values during the member creation flow causes unusual database state, unhandled exceptions/stack trace disclosure and denial of service due to continuous page crashes.

🕵️‍♂️ Proof of Concept

  • Select a member-status/group - Create New Member
  • Enter an invalid value into the Local Identifier field, eg. an XSS payload such as <img src=x onerror="alert('L ID')" />
  • Hit Save. The page crashes with a 500: Internal Server Error.
  • Hit the back button and correct the error - enter an integer into the Local Identifier field and hit save.
  • Navigate to other pages in the application, for example the Recent Changes page. The page immediately crashes with a stack trace and an error An exception has been thrown during the rendering of a template ("Parameter "localIdentifier" for route "member_show" must match "[^/]++" ("<img src=x onerror="alert('L ID')" />" given) to generate a corresponding URL.").
  • The error contains the payload that caused the first crash. This value should not make it into the database.

💥 Impact

The application state for broken pages is not recoverable unless changes are made to the database directly. This causes denial of service/lockout on certain features across the application and potential unintended behaviour in the flows that do still work.