Uncontrolled Resource Consumption in "Category Editor" in causefx/organizr

Valid

Reported on

May 11th 2022

Description

The Organizr application allows large characters to insert in the input field "Category Editor" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Proof of Concept

1.Login to the application

2.Go to "Tab Editor" -> "Categories" .

3.Click on the + button fill in all details and capture the request in burp suites, and send it to Repeater.

4.Now copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste after the parameter category= and click on go.

5.You will see application accepts 1,000,000 characters.

Video PoC

https://drive.google.com/file/d/1AK-fV4JkgYxaTciAQUvk3W1TfXm1Hj3c/view?usp=sharing

Impact

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

References

huntr.dev

We are processing your report and will contact the causefx/organizr team within 24 hours. a year ago

causefx validated this vulnerability a year ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

causefx marked this as fixed in 2.1.2000 with commit e4b4cf a year ago

causefx has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation