Able to create an user with a long password as well as long username in snipe/snipe-it

Valid

Reported on

May 12th 2022


Issue Description:

Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it

What's the meaning of application level DOS ?

An application DDoS attack may target the processes that generate web pages in response to simple HTTP requests. One HTTP request may be small, but the required work to respond by the server may be many times larger. As a result, threat actors may flood the server with many HTTP requests, making it impossible for the server to respond to legitimate requests in any practical timeframe. Examples typically include website forms (login, uploading of photo/video, submitting feedback, etc.).

Steps to Reproduce:

  • After logged in via the admin page , Go to create user functionality

user.png

  • Now we can generate a random string with length of 32k character with the following tool

Random String generator

user-1.png

  • Now click on create user, the user will be created with max length of 32k character without length restriction and entity wasn't been checked. So this kind of attack will lead to resource consumption as well as application level DOS

Impact

A Large Payload Post is an application attack where the threat actor manipulates the XML encoding used by targeted web servers. The threat actor sends the webserver a data structure encoded in XML. The server then attempts to decode but is forced to use rapidly increasing amounts of memory, thus overwhelming the system and crashing the service.

Occurrences

Implement a rule with all the Input fields while creating a user with the max characters upto 500

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 10 days ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 9 days ago
snipe modified the Severity from High to Low 9 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
snipe validated this vulnerability 9 days ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
snipe confirmed that a fix has been merged on cf4b41 9 days ago
snipe has been awarded the fix bounty
UsersCest.php#L48-L87 has been validated
to join this conversation