No limit in email length may result in a possible DOS attack in ikus060/rdiffweb

Valid

Reported on

Sep 22nd 2022


Description

As per RFC the maximum length allowed for an email address is 255 characters. However, rdiffweb don't validate email length, so you can add email addresses that exceed 255 characters. Through this, if you sign up for an email with a length of 1 million or more and log in, withdraw, or change your email, the server may cause DOS due to overload.

Proof of Concept

  1. Go to https://rdiffweb-demo.ikus-soft.com/prefs/general
  2. You can now change the email associated with your account from this endpoint
  3. Set a very long email that exceeds 1000 characters
  4. You will see that the long email is readily accepted and there is no fixed length for this user input parameter

Mitigation: The email parameter must have a specific user input length

Impact

An attacker can store a large email address as per his requirement which will possibly lead to a DOS attack / Buffer Overflow

References

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 2 months ago
Patrik Dufresne assigned a CVE to this report 2 months ago
Patrik Dufresne validated this vulnerability 2 months ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. 2 months ago
Patrik Dufresne marked this as fixed in 2.4.8 with commit 667657 2 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
config.py#L112-L164 has been validated
to join this conversation