Out-of-bounds Write in tsolucio/corebos

Valid

Reported on

Nov 18th 2021


Description

There's no bound limit to the number of characters/special characters in "Add Module - Window Title" (Add window --> Modules).

javascript:chooseType('Module');fnRemoveWindow();setFilter(document.getElementById('selmodule_id'))

Steps to reproduce

Step 1. Goto - https://demo.corebos.com/index.php?action=index&module=Home

Step 2. Add Window (Right corner)

Step 3. Select module (1st option)

Step 4. Can flood boundless characters on Window Title

Step 5. Done

Impact

Application-Level DoS. This vulnerability is capable of bringing down both the availability of the Client & server-side resources.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 16 days ago
7h3h4ckv157
16 days ago

Researcher


PoC Link:- https://drive.google.com/drive/folders/1bZUklTB0QFW6Wst45sfDN6XgZ_x37Z4f?usp=sharing

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 15 days ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 15 days ago
Joe Bordes
15 days ago

Maintainer


can you please explain this issue to me? I see that the title string is truncated on screen and I don't understand the security risk that this represents.

7h3h4ckv157
14 days ago

Researcher


When the text measure is large enough the service comes about in a fleeting blackout in a production environment. That can lead to memory corruption on the server. This may lead to server-side Denial Of Service assault or over memory consumption. You have to limit input length.

Regards,

7h3h4ckv157
14 days ago

Researcher


There's some reference:

https://hackerone.com/reports/768677

https://hackerone.com/reports/764434

https://hackerone.com/reports/161947

7h3h4ckv157
14 days ago

Researcher


Hey, a new issue is noticed. When I attempt to change the password, I found that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

References:

https://www.google.com/search?q=no+length+password+length+leads+to+dos+&client=firefox-b-d&sxsrf=AOaemvLHSo00k12eN0te7YZNGrtqstSpBA%3A1636573491846&ei=MyGMYY-FM6vA3LUP17Kh6AY&oq=no+length+password+length+leads+to+dos+&gs_lcp=Cgdnd3Mtd2l6EAMyBAgjECc6BwgAEEcQsANKBAhBGABQ2QNYzhFg1hRoAXACeACAAZADiAGUBpIBBTMtMS4xmAEAoAEByAEIwAEB&sclient=gws-wiz&ved=0ahUKEwjP6oStx470AhUrILcAHVdZCG0Q4dUDCA0&uact=5

regards,

7h3h4ckv157
14 days ago

Researcher


Please consider both issues I pointed. It'll be better to settle the cases in a single report. So I don't have to write multi times. Hope you get back soon.

Regards,

Joe Bordes validated this vulnerability 13 days ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 15788f 11 days ago
Joe Bordes has been awarded the fix bounty