DDOS attack by uploading a few hundred large files in tooljet/tooljet

Valid

Reported on

Aug 28th 2022


Description

can normal user upload the photo to the profile not allowed photo more than 2 MB i can upload photo more allowed limit

Proof of Concept

https://drive.google.com/file/d/1jh0n9kOoFvW-esHg_pOtPeURTYjSIhDm/view?usp=sharing

Impact

What happens if a bot net starts uploading 100MB files from 100 machines at the same time. This would mean that our network pipes are clogged handling 10GB of data while slowing down our real customers..... the answer the site will down and come not available

We are processing your report and will contact the tooljet team within 24 hours. 3 months ago
We have contacted a member of the tooljet team and are waiting to hear back 3 months ago
We have sent a follow up to the tooljet team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the tooljet team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the tooljet team. This report is now considered stale. 3 months ago
Navaneeth Pk validated this vulnerability 2 months ago
ahmed8magdy has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the tooljet team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the tooljet team. We will try again in 10 days. 2 months ago
ahmed8magdy
2 months ago

Researcher


@navaneeth-pk hi When will you fix this bug ?

We have sent a third and final fix follow up to the tooljet team. This report is now considered stale. 2 months ago
ahmed8magdy
2 months ago

Researcher


@navaneeth-pk any update

Midhun G S marked this as fixed in v1.27.0 with commit 01cd3f 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
ahmed8magdy
2 months ago

Researcher


@navaneeth-pk and @admin can now storge as CVE :)

ahmed8magdy
a month ago

Researcher


@gsmithun4 can now storge as CVE :)

Pavlos
a month ago

Admin


@maintainer can we assign a CVE here?

ahmed8magdy
a month ago

Researcher


@maintainer @admin @gsmithun4 can we assign a CVE here and make my report puplic

Pavlos
a month ago

Admin


Hi Ahmed! As soon the maintainer publishes your report, they will decide wether to assign a CVE for it or not. I'm sure the maintainer will soon be back, give them some time :)

ahmed8magdy
a month ago

Researcher


@gsmithun4 @navaneeth-pk any update

Navaneeth Pk published this vulnerability 14 days ago
to join this conversation