The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber

Valid

Reported on

Mar 14th 2022


Proof of Concept

  1. Go to http://127.0.0.1/admin/view:modules/load_module:users/action:profile
  2. Click on edit profile
  3. Fill the first name & last name field with huge characters, (more than 1 lakh)
  4. Copy the below payload and put it in the input fields and click on continue.
  5. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.

Download the payload from here:

https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk

Video & Image POC:

https://drive.google.com/drive/folders/1-lM2kFjS9p2Pjb9S0Nw_SuqPhW5Zohja

Patch recemmondation:

The first name & last name input should be limited to 50 characters or max 100 characters.

We are processing your report and will contact the microweber team within 24 hours. a year ago
Bozhidar Slaveykov validated this vulnerability a year ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 80e390 a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation