Out-of-bounds Write in cortezaproject/corteza-server

Valid

Reported on

Nov 8th 2021

Description

There's no bound limit to the number of "characters/special characters" in the name field of the user.

Vulnerable Field: Full Name

By sending a very long string it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. The bulk (unbounded) input will store on the server & the DoS attack influences both server-side and client-side.

Proof of Concept

Reproduction steps

Go to: https://latest.cortezaproject.org/auth

Vulnerable field: Full Name

Update profile

Done

Impact

This vulnerability is capable of Bringing down both the availability of the Client & server-side resources. Application-Level DoS

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. a year ago

7h3h4ckv157

commented a year ago

Researcher

PoC Link:

https://drive.google.com/drive/folders/1xKb1F2lZ7OJ0ySWgNr3yEHWiTOcHxBZ1?usp=sharing

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back a year ago

7h3h4ckv157

commented a year ago

Researcher

Please NOTE:

Those bulk names in PoC are decently made for clarification. It's changed into short after taking the screenshot itself.

7h3h4ckv157 modified the report

a year ago

We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. a year ago

7h3h4ckv157

commented a year ago

Researcher

Any updates? :)

We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago

7h3h4ckv157

commented a year ago

Researcher

@admin No updates yet :)

Jamie Slome

commented a year ago

Admin

It might be worth getting in touch with the maintainer and softly checking if they are aware of the report.

7h3h4ckv157

commented a year ago

Researcher

@Admin 🤡

I laughed for 10 minutes.

Tomaž Jerman

commented a year ago

Maintainer

I do apologise for poor responsiveness; I will try to be more active with updates from now on

Tomaž Jerman validated this vulnerability a year ago

7h3h4ckv157 has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago

Denis Arh marked this as fixed in 0.0.0-20210421065539-cce4f5f9f700 with commit 72c93c a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. a year ago

7h3h4ckv157

commented a year ago

Researcher

PoC Link:

https://drive.google.com/drive/folders/1xKb1F2lZ7OJ0ySWgNr3yEHWiTOcHxBZ1?usp=sharing

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back a year ago

7h3h4ckv157

commented a year ago

Researcher

Please NOTE:

Those bulk names in PoC are decently made for clarification. It's changed into short after taking the screenshot itself.

7h3h4ckv157 modified the report

a year ago

We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. a year ago

7h3h4ckv157

commented a year ago

Researcher

Any updates? :)

We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago

7h3h4ckv157

commented a year ago

Researcher

@admin No updates yet :)

Jamie Slome

commented a year ago

Admin

It might be worth getting in touch with the maintainer and softly checking if they are aware of the report.

7h3h4ckv157

commented a year ago

Researcher

@Admin 🤡

I laughed for 10 minutes.

Tomaž Jerman

commented a year ago

Maintainer

I do apologise for poor responsiveness; I will try to be more active with updates from now on

Tomaž Jerman validated this vulnerability a year ago

7h3h4ckv157 has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago

Denis Arh marked this as fixed in 0.0.0-20210421065539-cce4f5f9f700 with commit 72c93c a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation