Out-of-bounds Write in cortezaproject/corteza-server

Valid

Reported on

Nov 8th 2021


Description

There's no bound limit to the number of "characters/special characters" in the name field of the user.

Vulnerable Field: Full Name

By sending a very long string it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. The bulk (unbounded) input will store on the server & the DoS attack influences both server-side and client-side.

Proof of Concept

Reproduction steps

Go to: https://latest.cortezaproject.org/auth

Vulnerable field: Full Name

Update profile

Done
     

Impact

This vulnerability is capable of Bringing down both the availability of the Client & server-side resources. Application-Level DoS

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. 7 months ago
Kiran PP
7 months ago

Researcher


PoC Link:

https://drive.google.com/drive/folders/1xKb1F2lZ7OJ0ySWgNr3yEHWiTOcHxBZ1?usp=sharing

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 7 months ago
Kiran PP
7 months ago

Researcher


Please NOTE:

Those bulk names in PoC are decently made for clarification. It's changed into short after taking the screenshot itself.

Kiran PP modified the report
7 months ago
We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 7 months ago
Kiran PP
6 months ago

Researcher


Any updates? :)

We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 6 months ago
Kiran PP
6 months ago

Researcher


@admin No updates yet :)

Jamie Slome
6 months ago

Admin


It might be worth getting in touch with the maintainer and softly checking if they are aware of the report.

Kiran PP
6 months ago

Researcher


@Admin 🤡

I laughed for 10 minutes.

Tomaž Jerman
4 months ago

Maintainer


I do apologise for poor responsiveness; I will try to be more active with updates from now on

Tomaž Jerman validated this vulnerability 4 months ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. 3 months ago
Denis Arh confirmed that a fix has been merged on 72c93c 3 months ago
The fix bounty has been dropped
to join this conversation