Improper Control of a Resource Through its Lifetime in the input field "Bookmark Tabs" in causefx/organizr

Valid

Reported on

May 13th 2022


Description

The Organizr application allows large characters to insert in the input field "Bookmark Tabs" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Proof of Concept

1.Login to the application

2.Go to "Tab Editor" -> "Bookmark Tabs".

3.Click on the + button fill in all details and capture the request in burp suites, and send it to Repeater.

4.Now copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste after the parameter name= and click on go.

5.You will see application accepts 1,000,000 characters.

Video PoC

https://drive.google.com/file/d/1MWY3ixJ3oyoigy_MGqnIvIPjRaNj6mHh/view?usp=sharing

Impact

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

References

We are processing your report and will contact the causefx/organizr team within 24 hours. 15 days ago
SAMPRIT DAS modified the report
15 days ago
causefx
15 days ago

Maintainer


This was already fixed while doing other inputs:

https://github.com/causefx/Organizr/commit/05ebc5a6269dd2469a0acff8a487600d0c922f43

SAMPRIT DAS
15 days ago

Researcher


Oh ok sorry @Maintainer so I need to update

causefx validated this vulnerability 15 days ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
causefx confirmed that a fix has been merged on 05ebc5 15 days ago
causefx has been awarded the fix bounty
to join this conversation