Allocation of Resources Without Limits in "Bookmark Categories" in causefx/organizr

Valid

Reported on

May 11th 2022

Description

The Organizr application allows large characters to insert in the input field "Bookmark Categories" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Proof of Concept

1.Login to the application

2.Go to "Tab Editor" -> "Categories" -> "Bookmark Categories".

3.Click on the + button fill in all details and capture the request in burp suites, and send it to Repeater.

4.Now copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste after the parameter category= and click on go.

5.You will see application accepts 1,000,000 characters.

Video PoC

https://drive.google.com/file/d/1yGcGjxaTlHlSPvgMak8vCCZe7vFsZMZm/view?usp=sharing

Impact

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

References

huntr.dev

We are processing your report and will contact the causefx/organizr team within 24 hours. 10 months ago

causefx validated this vulnerability 10 months ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

causefx marked this as fixed in 2.1.2000 with commit e4b4cf 10 months ago

causefx has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation