The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber
Valid
Reported on
Mar 14th 2022
Proof of Concept
- Go to
http://127.0.0.1/admin/view:modules/load_module:users/action:profile
- Click on edit profile
- Fill the
first name & last name
field with huge characters, (more than 1 lakh) - Copy the below payload and put it in the input fields and click on continue.
- You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.
Download the payload from here:
https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk
Video & Image POC:
https://drive.google.com/drive/folders/1-lM2kFjS9p2Pjb9S0Nw_SuqPhW5Zohja
Patch recemmondation:
The first name & last name input should be limited to 50 characters or max 100 characters.
We are processing your report and will contact the
microweber
team within 24 hours.
a year ago
to join this conversation