Improper Control of a Resource Through its Lifetime in the input field "Bookmark Tabs" in causefx/organizr

Valid

Reported on

May 13th 2022

Description

The Organizr application allows large characters to insert in the input field "Bookmark Tabs" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Proof of Concept

1.Login to the application

2.Go to "Tab Editor" -> "Bookmark Tabs".

3.Click on the + button fill in all details and capture the request in burp suites, and send it to Repeater.

4.Now copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste after the parameter name= and click on go.

5.You will see application accepts 1,000,000 characters.

Video PoC

https://drive.google.com/file/d/1MWY3ixJ3oyoigy_MGqnIvIPjRaNj6mHh/view?usp=sharing

Impact

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

References

We are processing your report and will contact the causefx/organizr team within 24 hours. a year ago
SAMPRIT DAS modified the report
a year ago
causefx
a year ago

Maintainer

This was already fixed while doing other inputs:

https://github.com/causefx/Organizr/commit/05ebc5a6269dd2469a0acff8a487600d0c922f43

SAMPRIT DAS
a year ago

Researcher

Oh ok sorry @Maintainer so I need to update

causefx validated this vulnerability a year ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
causefx marked this as fixed in 2.1.2000 with commit 05ebc5 a year ago
causefx has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation