Out-of-bounds Write in tsolucio/corebos

Valid

Reported on

Nov 18th 2021


Description

There's no bound limit to the number of characters/special characters in "Add Module - Window Title" (Add window --> Modules).

javascript:chooseType('Module');fnRemoveWindow();setFilter(document.getElementById('selmodule_id'))

Steps to reproduce

Step 1. Goto - https://demo.corebos.com/index.php?action=index&module=Home

Step 2. Add Window (Right corner)

Step 3. Select module (1st option)

Step 4. Can flood boundless characters on Window Title

Step 5. Done

Impact

Application-Level DoS. This vulnerability is capable of bringing down both the availability of the Client & server-side resources.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 10 days ago
7h3h4ckv157
10 days ago

Researcher


PoC Link:- https://drive.google.com/drive/folders/1bZUklTB0QFW6Wst45sfDN6XgZ_x37Z4f?usp=sharing

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 9 days ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 9 days ago
Joe Bordes
8 days ago

can you please explain this issue to me? I see that the title string is truncated on screen and I don't understand the security risk that this represents.

7h3h4ckv157
8 days ago

Researcher


When the text measure is large enough the service comes about in a fleeting blackout in a production environment. That can lead to memory corruption on the server. This may lead to server-side Denial Of Service assault or over memory consumption. You have to limit input length.

Regards,

7h3h4ckv157
8 days ago

Researcher


There's some reference:

https://hackerone.com/reports/768677

https://hackerone.com/reports/764434

https://hackerone.com/reports/161947

7h3h4ckv157
8 days ago

Researcher


Hey, a new issue is noticed. When I attempt to change the password, I found that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

References:

https://www.google.com/search?q=no+length+password+length+leads+to+dos+&client=firefox-b-d&sxsrf=AOaemvLHSo00k12eN0te7YZNGrtqstSpBA%3A1636573491846&ei=MyGMYY-FM6vA3LUP17Kh6AY&oq=no+length+password+length+leads+to+dos+&gs_lcp=Cgdnd3Mtd2l6EAMyBAgjECc6BwgAEEcQsANKBAhBGABQ2QNYzhFg1hRoAXACeACAAZADiAGUBpIBBTMtMS4xmAEAoAEByAEIwAEB&sclient=gws-wiz&ved=0ahUKEwjP6oStx470AhUrILcAHVdZCG0Q4dUDCA0&uact=5

regards,

7h3h4ckv157
8 days ago

Researcher


Please consider both issues I pointed. It'll be better to settle the cases in a single report. So I don't have to write multi times. Hope you get back soon.

Regards,

Joe Bordes validated this vulnerability 7 days ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 15788f 5 days ago
Joe Bordes has been awarded the fix bounty